Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe

Overview

General Information

Sample name:17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
Analysis ID:1569786
MD5:7f2ebe83b860a8de1f3ce798c79b5935
SHA1:3fbea97a5aa637271311851fd152ee37e813c44f
SHA256:fd125d03b2bc8512a9a5dcc6df9ca5045208442bc047af50b5f0a359103c1ba8
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["jawa123.duckdns.org:9005:1"], "Assigned name": "HOME", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "vlc.exe", "Startup value": "chorne", "Hide file": "Disable", "Mutex": "net-YA1YXM", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "vlc", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
    17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
    • 0x679e0:$a1: Remcos restarted by watchdog!
    • 0x67f38:$a3: %02i:%02i:%02i:%03i
    • 0x682bd:$a4: * Remcos v
    17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
    • 0x629e4:$str_a1: C:\Windows\System32\cmd.exe
    • 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
    • 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
    • 0x61a0c:$str_b2: Executing file:
    • 0x62b28:$str_b3: GetDirectListeningPort
    • 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
    • 0x62630:$str_b7: \update.vbs
    • 0x61a34:$str_b9: Downloaded file:
    • 0x61a20:$str_b10: Downloading file:
    • 0x61ac4:$str_b12: Failed to upload file:
    • 0x62af0:$str_b13: StartForward
    • 0x62b10:$str_b14: StopForward
    • 0x625d8:$str_b15: fso.DeleteFile "
    • 0x6256c:$str_b16: On Error Resume Next
    • 0x62608:$str_b17: fso.DeleteFolder "
    • 0x61ab4:$str_b18: Uploaded file:
    • 0x61a74:$str_b19: Unable to delete:
    • 0x625a0:$str_b20: while fso.FileExists("
    • 0x61f49:$str_c0: [Firefox StoredLogins not found]
    17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
    • 0x61900:$s1: \Classes\mscfile\shell\open\command
    • 0x61960:$s1: \Classes\mscfile\shell\open\command
    • 0x61948:$s2: eventvwr.exe

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2607794386.00000000005EE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000000.1672275967.0000000000456000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000000.00000000.1672275967.0000000000456000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x131e0:$a1: Remcos restarted by watchdog!
        • 0x13738:$a3: %02i:%02i:%02i:%03i
        • 0x13abd:$a4: * Remcos v
        00000000.00000003.2628733515.00000000005EE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000000.00000003.2649104544.00000000005EE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 48 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              5.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x679e0:$a1: Remcos restarted by watchdog!
              • 0x67f38:$a3: %02i:%02i:%02i:%03i
              • 0x682bd:$a4: * Remcos v
              5.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
              • 0x629e4:$str_a1: C:\Windows\System32\cmd.exe
              • 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x61a0c:$str_b2: Executing file:
              • 0x62b28:$str_b3: GetDirectListeningPort
              • 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x62630:$str_b7: \update.vbs
              • 0x61a34:$str_b9: Downloaded file:
              • 0x61a20:$str_b10: Downloading file:
              • 0x61ac4:$str_b12: Failed to upload file:
              • 0x62af0:$str_b13: StartForward
              • 0x62b10:$str_b14: StopForward
              • 0x625d8:$str_b15: fso.DeleteFile "
              • 0x6256c:$str_b16: On Error Resume Next
              • 0x62608:$str_b17: fso.DeleteFolder "
              • 0x61ab4:$str_b18: Uploaded file:
              • 0x61a74:$str_b19: Unable to delete:
              • 0x625a0:$str_b20: while fso.FileExists("
              • 0x61f49:$str_c0: [Firefox StoredLogins not found]
              5.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
              • 0x61900:$s1: \Classes\mscfile\shell\open\command
              • 0x61960:$s1: \Classes\mscfile\shell\open\command
              • 0x61948:$s2: eventvwr.exe
              9.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                Click to see the 23 entries

                Sigma Signatures

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, ProcessId: 6568, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-06T10:07:13.372160+010020365941Malware Command and Control Activity Detected192.168.2.449730154.216.20.2449005TCP
                2024-12-06T10:08:43.186058+010020365941Malware Command and Control Activity Detected192.168.2.449809154.216.20.2449005TCP
                2024-12-06T10:08:43.530013+010020365941Malware Command and Control Activity Detected192.168.2.449811154.216.20.2449005TCP
                2024-12-06T10:08:57.389539+010020365941Malware Command and Control Activity Detected192.168.2.449844154.216.20.2449005TCP
                2024-12-06T10:09:08.389525+010020365941Malware Command and Control Activity Detected192.168.2.449870154.216.20.2449005TCP
                2024-12-06T10:09:28.842942+010020365941Malware Command and Control Activity Detected192.168.2.449915154.216.20.2449005TCP
                2024-12-06T10:09:33.139924+010020365941Malware Command and Control Activity Detected192.168.2.449925154.216.20.2449005TCP
                2024-12-06T10:11:18.422682+010020365941Malware Command and Control Activity Detected192.168.2.450010154.216.20.2449005TCP
                2024-12-06T10:11:18.625669+010020365941Malware Command and Control Activity Detected192.168.2.450011154.216.20.2449005TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-06T10:07:16.004490+010028033043Unknown Traffic192.168.2.449731178.237.33.5080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeAvira: detected
                Antivirus detection for URL or domain
                Source: jawa123.duckdns.orgAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeMalware Configuration Extractor: Remcos {"Host:Port:Password": ["jawa123.duckdns.org:9005:1"], "Assigned name": "HOME", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "vlc.exe", "Startup value": "chorne", "Hide file": "Disable", "Mutex": "net-YA1YXM", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "vlc", "Keylog folder": "remcos", "Keylog file max size": "100"}
                Multi AV Scanner detection for submitted file
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeReversingLabs: Detection: 91%
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeVirustotal: Detection: 82%Perma Link
                Yara detected Remcos RAT
                Source: Yara matchFile source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, type: SAMPLE
                Source: Yara matchFile source: 5.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2607794386.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1672275967.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2628733515.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2649104544.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2624214746.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2623293763.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2640984538.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000000.2748254754.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2648225521.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2628935219.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2608000108.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000000.2860142643.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2599183809.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2608743855.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.2747605791.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2638471571.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.2861290351.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2649310406.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.2748773376.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2627681034.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000000.2859579477.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2618745887.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2598728170.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2597901864.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2641409681.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2648048280.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2627912130.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2639412053.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2617369250.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2597663716.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6192, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6276, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6072, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 2668, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 5184, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,5_2_00404423
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000000.1672275967.0000000000456000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_15ef2a8b-9
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0040AE51 FindFirstFileW,FindNextFileW,5_2_0040AE51
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,6_2_00407C87
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,7_2_00407898
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,10_2_00407898

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49730 -> 154.216.20.244:9005
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49811 -> 154.216.20.244:9005
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49809 -> 154.216.20.244:9005
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49844 -> 154.216.20.244:9005
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49870 -> 154.216.20.244:9005
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49915 -> 154.216.20.244:9005
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49925 -> 154.216.20.244:9005
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50010 -> 154.216.20.244:9005
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50011 -> 154.216.20.244:9005
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: jawa123.duckdns.org
                Uses dynamic DNS services
                Source: unknownDNS query: name: jawa123.duckdns.org
                Source: global trafficTCP traffic: 192.168.2.4:49730 -> 154.216.20.244:9005
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49731 -> 178.237.33.50:80
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000002.2863335227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000002.2863335227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000002.2771543382.000000000092D000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000003.2767842945.000000000092D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000002.2771543382.000000000092D000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000003.2767842945.000000000092D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000008.00000002.2887686322.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000008.00000002.2887686322.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: jawa123.duckdns.org
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                Source: bhvD249.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                Source: bhvD249.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                Source: bhvD249.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.1717476206.00000000005EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2639412053.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://geoplugin.net/json.gp
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2608000108.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2599183809.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2649310406.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2628733515.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2638471571.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2648048280.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2597663716.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2649104544.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2628935219.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2598728170.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2623293763.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2648225521.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2640984538.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2608743855.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.1717476206.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2627912130.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2607794386.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2627681034.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2618745887.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2624214746.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2617369250.00000000005D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpWVK
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2608000108.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2599183809.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2649310406.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2628733515.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2638471571.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2648048280.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2597663716.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2649104544.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2628935219.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2598728170.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2623293763.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2648225521.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2640984538.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2608743855.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.1717476206.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2627912130.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2607794386.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2627681034.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2618745887.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2624214746.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2617369250.00000000005D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gprVn
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0:
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0H
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0I
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0Q
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://ocsp.msocsp.com0
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://ocsp.msocsp.com0S
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://ocspx.digicert.com0E
                Source: bhvD249.tmp.8.drString found in binary or memory: http://www.digicert.com/CPS0
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://www.digicert.com/CPS0~
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000002.2863335227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000003.2863128744.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000003.2863084192.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000002.2863335227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000002.2863335227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000002.2863335227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000007.00000003.2750734979.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000007.00000003.2750670973.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000003.2863128744.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000003.2863084192.00000000008DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comta
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000002.2769095020.0000000000193000.00000004.00000010.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000008.00000002.2887519111.0000000000193000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000002.2863335227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
                Source: bhvD249.tmp.8.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
                Source: bhvD249.tmp.8.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                Source: bhvD249.tmp.8.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                Source: bhvD249.tmp.8.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                Source: bhvD249.tmp.8.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: bhvD249.tmp.8.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000002.2771543382.000000000092D000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000003.2767842945.000000000092D000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000003.2767561674.000000000092D000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000008.00000003.2886873214.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000008.00000002.2888280520.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000008.00000003.2887137904.00000000009DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
                Source: bhvD249.tmp.8.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://www.digicert.com/CPS0
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000002.2863335227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drString found in binary or memory: https://www.office.com/

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0041183A OpenClipboard,GetLastError,DeleteFileW,5_2_0041183A
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_0040987A
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,5_2_004098E2
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_00406B9A EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,6_2_00406B9A
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_00406C3D EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,6_2_00406C3D
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,7_2_004068B5
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,7_2_004072B5
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,10_2_004068B5
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,10_2_004072B5

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, type: SAMPLE
                Source: Yara matchFile source: 5.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2607794386.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1672275967.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2628733515.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2649104544.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2624214746.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2623293763.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2640984538.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000000.2748254754.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2648225521.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2628935219.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2608000108.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000000.2860142643.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2599183809.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2608743855.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.2747605791.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2638471571.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.2861290351.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2649310406.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.2748773376.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2627681034.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000000.2859579477.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2618745887.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2598728170.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2597901864.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2641409681.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2648048280.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2627912130.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2639412053.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2617369250.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2597663716.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6192, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6276, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6072, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 2668, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 5184, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, type: SAMPLEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 5.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 5.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 5.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 9.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 9.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 9.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 7.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 7.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 7.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 8.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 8.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 8.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 0.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 6.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 6.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 6.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 10.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 10.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 10.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                Source: 00000000.00000000.1672275967.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000006.00000000.2748254754.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000009.00000000.2860142643.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000005.00000000.2747605791.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000A.00000000.2861290351.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000007.00000000.2748773376.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000008.00000000.2859579477.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6568, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6192, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6276, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6020, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6072, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 2668, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 5184, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,5_2_0040DD85
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00401806 NtdllDefWindowProc_W,5_2_00401806
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_004018C0 NtdllDefWindowProc_W,5_2_004018C0
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_004016FC NtdllDefWindowProc_A,6_2_004016FC
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_004017B6 NtdllDefWindowProc_A,6_2_004017B6
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_00402CAC NtdllDefWindowProc_A,7_2_00402CAC
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_00402D66 NtdllDefWindowProc_A,7_2_00402D66
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_00402CAC NtdllDefWindowProc_A,10_2_00402CAC
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_00402D66 NtdllDefWindowProc_A,10_2_00402D66
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0044B0405_2_0044B040
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0043610D5_2_0043610D
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_004473105_2_00447310
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0044A4905_2_0044A490
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0040755A5_2_0040755A
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0043C5605_2_0043C560
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0044B6105_2_0044B610
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0044D6C05_2_0044D6C0
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_004476F05_2_004476F0
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0044B8705_2_0044B870
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0044081D5_2_0044081D
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_004149575_2_00414957
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_004079EE5_2_004079EE
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00407AEB5_2_00407AEB
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0044AA805_2_0044AA80
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00412AA95_2_00412AA9
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00404B745_2_00404B74
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00404B035_2_00404B03
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0044BBD85_2_0044BBD8
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00404BE55_2_00404BE5
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00404C765_2_00404C76
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00415CFE5_2_00415CFE
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00416D725_2_00416D72
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00446D305_2_00446D30
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00446D8B5_2_00446D8B
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00406E8F5_2_00406E8F
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_0040D0446_2_0040D044
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_004050386_2_00405038
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_004050A96_2_004050A9
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_0040511A6_2_0040511A
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_004051AB6_2_004051AB
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_004382F36_2_004382F3
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_004305756_2_00430575
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_0043B6716_2_0043B671
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_0041F6CD6_2_0041F6CD
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_004119CF6_2_004119CF
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_00439B116_2_00439B11
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_00438E546_2_00438E54
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_00412F676_2_00412F67
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_0043CF186_2_0043CF18
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_004050C27_2_004050C2
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_004014AB7_2_004014AB
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_004051337_2_00405133
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_004051A47_2_004051A4
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_004012467_2_00401246
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_0040CA467_2_0040CA46
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_004052357_2_00405235
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_004032C87_2_004032C8
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_004222D97_2_004222D9
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_004016897_2_00401689
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_00402F607_2_00402F60
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_004050C210_2_004050C2
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_004014AB10_2_004014AB
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_0040513310_2_00405133
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_004051A410_2_004051A4
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_0040124610_2_00401246
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_0040CA4610_2_0040CA46
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_0040523510_2_00405235
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_004032C810_2_004032C8
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_004222D910_2_004222D9
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_0040168910_2_00401689
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_00402F6010_2_00402F60
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: String function: 00413DCE appears 48 times
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: String function: 00414060 appears 50 times
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: String function: 0044DB70 appears 41 times
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: String function: 00412968 appears 78 times
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: String function: 00413CE8 appears 58 times
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: String function: 00413D0C appears 36 times
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: String function: 00413D18 appears 42 times
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: String function: 00421A32 appears 43 times
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: String function: 00416760 appears 69 times
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: String function: 0044407A appears 37 times
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeBinary or memory string: OriginalFileName vs 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeBinary or memory string: OriginalFilename vs 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeBinary or memory string: OriginalFilename vs 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000002.2863335227.000000000041B000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 5.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 5.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 5.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 9.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 9.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 9.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 7.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 7.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 7.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 8.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 8.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 8.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 0.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 6.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 6.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 6.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 10.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 10.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 10.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                Source: 00000000.00000000.1672275967.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000006.00000000.2748254754.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000009.00000000.2860142643.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000005.00000000.2747605791.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000A.00000000.2861290351.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000007.00000000.2748773376.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000008.00000000.2859579477.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6568, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6192, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6276, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6020, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6072, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 2668, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 5184, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@13/6@2/2
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,5_2_004182CE
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,7_2_00410DE1
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,10_2_00410DE1
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,5_2_00418758
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,5_2_00413D4C
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,5_2_0040B58D
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].jsonJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\net-YA1YXM
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Temp\bhvA676.tmpJump to behavior
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000008.00000002.2887686322.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000008.00000002.2887686322.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000009.00000002.2862024211.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000008.00000002.2887686322.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000008.00000002.2887686322.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000008.00000002.2887686322.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000008.00000002.2887686322.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000003.2767655388.00000000020FB000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000002.2771852255.00000000020FB000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000003.2767336418.00000000020FB000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000003.2767199970.00000000020FB000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000008.00000003.2886718791.00000000021B8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000008.00000003.2887216494.00000000021B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000008.00000002.2887686322.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeReversingLabs: Detection: 91%
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeVirustotal: Detection: 82%
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_6-32820
                Source: unknownProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe "C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe"
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\qvsnmq"
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\wfgmexfquvwjormwxnmvqsfnckapqyps"
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\xjrvqnzhyavnhpgfptkxoggco"
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\atkwdxhfhaecrerwdsjtdarotoqimtmgdh"
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\azrbouitfbtqknwrahjxueeuvbutbfjrmv"
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\xmdugchyslpaasitdca"
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\qvsnmq"Jump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\wfgmexfquvwjormwxnmvqsfnckapqyps"Jump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\xjrvqnzhyavnhpgfptkxoggco"Jump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\atkwdxhfhaecrerwdsjtdarotoqimtmgdh"Jump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\azrbouitfbtqknwrahjxueeuvbutbfjrmv"Jump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\xmdugchyslpaasitdca"Jump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeFile opened: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.cfgJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeUnpacked PE file: 5.2.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeUnpacked PE file: 6.2.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeUnpacked PE file: 7.2.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeUnpacked PE file: 8.2.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeUnpacked PE file: 9.2.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeUnpacked PE file: 10.2.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,5_2_004044A4
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0044693D push ecx; ret 5_2_0044694D
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0044DB70 push eax; ret 5_2_0044DB84
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0044DB70 push eax; ret 5_2_0044DBAC
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00451D54 push eax; ret 5_2_00451D61
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_00444355 push ecx; ret 6_2_00444365
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_004446D0 push eax; ret 6_2_004446E4
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_004446D0 push eax; ret 6_2_0044470C
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_00414060 push eax; ret 7_2_00414074
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_00414060 push eax; ret 7_2_0041409C
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_00414039 push ecx; ret 7_2_00414049
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_004164EB push 0000006Ah; retf 7_2_004165C4
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_00416553 push 0000006Ah; retf 7_2_004165C4
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_00416555 push 0000006Ah; retf 7_2_004165C4
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_00414060 push eax; ret 10_2_00414074
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_00414060 push eax; ret 10_2_0041409C
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_00414039 push ecx; ret 10_2_00414049
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_004164EB push 0000006Ah; retf 10_2_004165C4
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_00416553 push 0000006Ah; retf 10_2_004165C4
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_00416555 push 0000006Ah; retf 10_2_004165C4
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_004047C6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_004047C6
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,5_2_0040DD85
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeWindow / User API: threadDelayed 5175Jump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeWindow / User API: threadDelayed 4310Jump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeWindow / User API: foregroundWindowGot 1767Jump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe TID: 6716Thread sleep time: -129500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe TID: 4048Thread sleep time: -15525000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe TID: 4048Thread sleep time: -12930000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0040AE51 FindFirstFileW,FindNextFileW,5_2_0040AE51
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,6_2_00407C87
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 7_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,7_2_00407898
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 10_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,10_2_00407898
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_00418981 memset,GetSystemInfo,5_2_00418981
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2627681034.000000000060C000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2639412053.000000000060C000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2623293763.000000000060C000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2617369250.000000000060C000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2597825935.000000000060C000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.1717570339.000000000060C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: bhvA676.tmp.5.dr, bhvD249.tmp.8.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                Source: bhvD249.tmp.8.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_6-33715
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,5_2_0040DD85
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,5_2_004044A4
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess token adjusted: DebugJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\qvsnmq"Jump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\wfgmexfquvwjormwxnmvqsfnckapqyps"Jump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\xjrvqnzhyavnhpgfptkxoggco"Jump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\atkwdxhfhaecrerwdsjtdarotoqimtmgdh"Jump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\azrbouitfbtqknwrahjxueeuvbutbfjrmv"Jump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeProcess created: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\xmdugchyslpaasitdca"Jump to behavior
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2607794386.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2608000108.00000000005EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managervider
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2628733515.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2624214746.00000000005EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerXM\c
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2627681034.000000000060C000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2639412053.000000000060C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager`
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2608000108.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2639412053.000000000060C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2639412053.0000000000605000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2607794386.00000000005EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2624214746.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2623293763.00000000005EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerD
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2649310406.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2628733515.00000000005C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager039200092)
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2649104544.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2648225521.00000000005EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerer
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2628733515.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2624214746.00000000005EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerXM\7
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2624214746.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2640984538.00000000005EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerXM\x
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2640984538.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2638471571.00000000005EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager7
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2628733515.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2628935219.00000000005EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerx
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2628733515.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2649104544.00000000005EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerXM\
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2649104544.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2648225521.00000000005EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerXM\er
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2627681034.000000000060C000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2623293763.000000000060C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager8
                Source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2628733515.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2649104544.00000000005EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,5_2_0041881C
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 6_2_00408043 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,6_2_00408043
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: 5_2_0041739B GetVersionExW,5_2_0041739B
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, type: SAMPLE
                Source: Yara matchFile source: 5.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2607794386.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1672275967.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2628733515.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2649104544.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2624214746.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2623293763.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2640984538.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000000.2748254754.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2648225521.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2628935219.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2608000108.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000000.2860142643.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2599183809.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2608743855.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.2747605791.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2638471571.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.2861290351.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2649310406.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.2748773376.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2627681034.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000000.2859579477.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2618745887.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2598728170.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2597901864.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2641409681.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2648048280.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2627912130.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2639412053.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2617369250.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2597663716.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6192, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6276, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6072, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 2668, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 5184, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Instant Messenger accounts or passwords
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                Tries to steal Mail credentials (via file registry)
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: ESMTPPassword6_2_004033E2
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword6_2_00402DA5
                Source: C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword6_2_00402DA5
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6192, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6072, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, type: SAMPLE
                Source: Yara matchFile source: 5.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2607794386.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1672275967.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2628733515.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2649104544.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2624214746.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2623293763.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2640984538.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000000.2748254754.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2648225521.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2628935219.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2608000108.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000000.2860142643.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2599183809.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2608743855.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.2747605791.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2638471571.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.2861290351.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2649310406.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000000.2748773376.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2627681034.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000000.2859579477.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2618745887.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2598728170.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2597901864.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2641409681.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2648048280.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2627912130.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2639412053.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2617369250.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2597663716.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6192, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6276, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 6072, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 2668, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe PID: 5184, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		Boot or Logon Initialization Scripts1
                Access Token Manipulation                		2
                Obfuscated Files or Information                		11
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		2
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)112
                Process Injection                		1
                Software Packing                		2
                Credentials in Registry                		2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                DLL Side-Loading                		1
                Credentials In Files                		18
                System Information Discovery                		Distributed Component Object Model11
                Input Capture                		2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets11
                Security Software Discovery                		SSH2
                Clipboard Data                		22
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Virtualization/Sandbox Evasion                		Cached Domain Credentials1
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Access Token Manipulation                		DCSync4
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
                Process Injection                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569786 Sample: 17334752451c3a43189360a7e5b... Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 23 jawa123.duckdns.org 2->23 25 geoplugin.net 2->25 31 Suricata IDS alerts for network traffic 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 39 9 other signatures 2->39 7 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe 2 15 2->7         started        signatures3 37 Uses dynamic DNS services 23->37 process4 dnsIp5 27 jawa123.duckdns.org 154.216.20.244, 49730, 49809, 49811 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 7->27 29 geoplugin.net 178.237.33.50, 49731, 80 ATOM86-ASATOM86NL Netherlands 7->29 21 C:\Users\user\AppData\Roaming\...\logs.dat, data 7->21 dropped 41 Detected unpacking (changes PE section rights) 7->41 43 Tries to steal Mail credentials (via file registry) 7->43 45 Maps a DLL or memory area into another process 7->45 47 Installs a global keyboard hook 7->47 12 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe 1 7->12         started        15 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe 1 7->15         started        17 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe 1 7->17         started        19 3 other processes 7->19 file6 signatures7 process8 signatures9 49 Tries to steal Instant Messenger accounts or passwords 12->49 51 Tries to harvest and steal browser information (history, passwords, etc) 12->51 53 Tries to steal Mail credentials (via file / registry access) 15->53

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe92%ReversingLabsWin32.Trojan.Remcos
                17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe83%VirustotalBrowse
                17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d0%Avira URL Cloudsafe
                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                http://www.imvu.comr0%Avira URL Cloudsafe
                https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc0%Avira URL Cloudsafe
                https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d0%Avira URL Cloudsafe
                jawa123.duckdns.org100%Avira URL Cloudmalware
                https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf680%Avira URL Cloudsafe
                https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d7888073423260%Avira URL Cloudsafe
                https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e7420%Avira URL Cloudsafe
                https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa4370%Avira URL Cloudsafe
                https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b030%Avira URL Cloudsafe
                http://www.ebuddy.com0%Avira URL Cloudsafe
                https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d50%Avira URL Cloudsafe
                https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad70%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                jawa123.duckdns.org
                		154.216.20.244
                		truetrue
                  		unknown
                  geoplugin.net
                  		178.237.33.50
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    jawa123.duckdns.orgtrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://geoplugin.net/json.gpfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.imvu.comr17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000002.2863335227.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=WbhvD249.tmp.8.drfalse
                        		high
                        http://www.imvu.comta17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000007.00000003.2750734979.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000007.00000003.2750670973.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000003.2863128744.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000003.2863084192.00000000008DD000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbadbhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                            		high
                            https://aefd.nelreports.net/api/report?cat=bingthbhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                              		high
                              https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fccbhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.nirsoft.net17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000005.00000002.2769095020.0000000000193000.00000004.00000010.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000008.00000002.2887519111.0000000000193000.00000004.00000010.00020000.00000000.sdmpfalse
                                		high
                                https://aefd.nelreports.net/api/report?cat=bingaotakbhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                  		high
                                  https://deff.nelreports.net/api/report?cat=msnbhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                    		high
                                    https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&FrbhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                      		high
                                      https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742bhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&FrbhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                        		high
                                        http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000002.2863335227.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51bhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                          		high
                                          https://www.google.com17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000002.2863335227.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                            		high
                                            https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950cbhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                              		high
                                              http://geoplugin.net/json.gp/C17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exefalse
                                                		high
                                                https://maps.windows.com/windows-app-web-linkbhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                  		high
                                                  https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                    		high
                                                    https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8bhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                      		high
                                                      https://login.yahoo.com/config/login17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exefalse
                                                        		high
                                                        http://geoplugin.net/json.gpWVK17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2608000108.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2599183809.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2649310406.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2628733515.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2638471571.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2648048280.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2597663716.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2649104544.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2628935219.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2598728170.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2623293763.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2648225521.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2640984538.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2608743855.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.1717476206.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2627912130.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2607794386.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2627681034.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2618745887.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2624214746.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2617369250.00000000005D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://geoplugin.net/json.gprVn17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2608000108.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2599183809.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2649310406.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2628733515.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2638471571.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2648048280.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2597663716.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2649104544.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2628935219.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2598728170.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2623293763.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2648225521.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2640984538.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2608743855.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.1717476206.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2627912130.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2607794386.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2627681034.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2618745887.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2624214746.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.2617369250.00000000005D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.nirsoft.net/17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000002.2863335227.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816dbhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                		high
                                                                https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367dbhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgbhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                  		high
                                                                  https://www.office.com/bhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                    		high
                                                                    https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8bhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                      		high
                                                                      https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68bhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2bhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                        		high
                                                                        https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8dbhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437bhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.imvu.com17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000003.2863128744.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000003.2863084192.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000002.2863335227.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://aefd.nelreports.net/api/report?cat=wsbbhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                            		high
                                                                            https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326bhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03bhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://geoplugin.net/17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 00000000.00000003.1717476206.00000000005EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://aefd.nelreports.net/api/report?cat=bingaotbhvD249.tmp.8.drfalse
                                                                                		high
                                                                                https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-aebhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                                  		high
                                                                                  https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7bhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFDbhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                                    		high
                                                                                    https://aefd.nelreports.net/api/report?cat=bingrmsbhvD249.tmp.8.drfalse
                                                                                      		high
                                                                                      https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993bhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                                        		high
                                                                                        https://www.google.com/accounts/servicelogin17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exefalse
                                                                                          		high
                                                                                          https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5bhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3bhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                                            		high
                                                                                            https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135bhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                                              		high
                                                                                              https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59bhvA676.tmp.5.dr, bhvD249.tmp.8.drfalse
                                                                                                		high
                                                                                                http://www.ebuddy.com17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe, 0000000A.00000002.2863335227.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown

                                                                                                World Map of Contacted IPs

                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs

                                                                                                Public IPs

                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                154.216.20.244
                                                                                                		jawa123.duckdns.orgSeychelles
                                                                                                		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue
                                                                                                178.237.33.50
                                                                                                		geoplugin.netNetherlands
                                                                                                		8455ATOM86-ASATOM86NLfalse

                                                                                                General Information

                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                Analysis ID:1569786
                                                                                                Start date and time:2024-12-06 10:06:20 +01:00
                                                                                                Joe Sandbox product:CloudBasic
                                                                                                Overall analysis duration:0h 8m 38s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                Number of analysed new started processes analysed:11
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Sample name:17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                                                                                                Detection:MAL
                                                                                                Classification:mal100.phis.troj.spyw.evad.winEXE@13/6@2/2
                                                                                                EGA Information:
                                                                                                • Successful, ratio: 100%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 98%
                                                                                                • Number of executed functions: 139
                                                                                                • Number of non-executed functions: 325
                                                                                                Cookbook Comments:
                                                                                                • Found application associated with file extension: .exe
                                                                                                • Override analysis time to 240s for sample files taking high CPU consumption

                                                                                                Warnings

                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                • Report size exceeded maximum capacity and may have missing network information.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                TimeTypeDescription
                                                                                                04:07:42API Interceptor6810354x Sleep call for process: 17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe modified

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                154.216.20.244NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                                                  178.237.33.50scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  W6iQkG4jZ1.exeGet hashmaliciousRemcosBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  VERSION.dll.dllGet hashmaliciousRemcosBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  LdSbZG1iH6.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  1733417286fc3e005fb672367f368896a7f5540f9ccbc4a8fc3e0e3c0df2cd0e1387254b67938.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  tXcFA8apHU.exeGet hashmaliciousRemcosBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  f5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                                                                  • www.geoplugin.net/json.gp?ip=
                                                                                                  17333253674c71ac3d5875ca830e11f4630bf65d3b8b7e2686361e216df980d330c80afb30623.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                  • geoplugin.net/json.gp
                                                                                                  togiveme.docGet hashmaliciousRemcosBrowse
                                                                                                  • geoplugin.net/json.gp

                                                                                                  Domains

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  jawa123.duckdns.orgNewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                                                  • 154.216.20.244
                                                                                                  geoplugin.netscan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  • 178.237.33.50
                                                                                                  NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  W6iQkG4jZ1.exeGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  VERSION.dll.dllGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  LdSbZG1iH6.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                  • 178.237.33.50
                                                                                                  1733417286fc3e005fb672367f368896a7f5540f9ccbc4a8fc3e0e3c0df2cd0e1387254b67938.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  tXcFA8apHU.exeGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  17333253674c71ac3d5875ca830e11f4630bf65d3b8b7e2686361e216df980d330c80afb30623.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  togiveme.docGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50

                                                                                                  ASNs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  SKHT-ASShenzhenKatherineHengTechnologyInformationCoNewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                                                  • 154.216.20.244
                                                                                                  nshmpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 156.241.11.37
                                                                                                  tXcFA8apHU.exeGet hashmaliciousRemcosBrowse
                                                                                                  • 154.216.19.139
                                                                                                  x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                  • 154.216.19.139
                                                                                                  m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                  • 154.216.19.139
                                                                                                  sora.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 45.207.215.90
                                                                                                  zmap.ppc.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                  • 154.216.18.131
                                                                                                  zmap.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                  • 154.216.18.131
                                                                                                  zmap.arm.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                  • 154.216.18.131
                                                                                                  armv7l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                  • 156.241.11.68
                                                                                                  ATOM86-ASATOM86NLscan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  • 178.237.33.50
                                                                                                  NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  W6iQkG4jZ1.exeGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  VERSION.dll.dllGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  LdSbZG1iH6.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                  • 178.237.33.50
                                                                                                  1733417286fc3e005fb672367f368896a7f5540f9ccbc4a8fc3e0e3c0df2cd0e1387254b67938.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  tXcFA8apHU.exeGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  f5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                                                                  • 178.237.33.50
                                                                                                  17333253674c71ac3d5875ca830e11f4630bf65d3b8b7e2686361e216df980d330c80afb30623.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50
                                                                                                  togiveme.docGet hashmaliciousRemcosBrowse
                                                                                                  • 178.237.33.50

                                                                                                  JA3 Fingerprints

                                                                                                  No context

                                                                                                  Dropped Files

                                                                                                  No context

                                                                                                  Created / dropped Files

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):963
                                                                                                  Entropy (8bit):5.014904284428935
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:tkluJnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluNdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                                  MD5:B66CFB6461E507BB577CDE91F270844E
                                                                                                  SHA1:6D952DE48032731679F8718D1F1C3F08202507C3
                                                                                                  SHA-256:E231BBC873E9B30CCA58297CAA3E8945A4FC61556F378F2C5013B0DDCB7035BE
                                                                                                  SHA-512:B5C1C188F10C9134EF38D0C5296E7AE95A7A486F858BE977F9A36D63CBE5790592881F3B8D12FEBBF1E555D0A9868632D9E590777E2D3143E74FD3A44C55575F
                                                                                                  Malicious:false
                                                                                                  Reputation:moderate, very likely benign file
                                                                                                  Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                  C:\Users\user\AppData\Local\Temp\atkwdxhfhaecrerwdsjtdarotoqimtmgdh

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2
                                                                                                  Entropy (8bit):1.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                  Malicious:false
                                                                                                  Reputation:high, very likely benign file
                                                                                                  Preview:..

                                                                                                  C:\Users\user\AppData\Local\Temp\bhvA676.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xc9448cc7, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20447232
                                                                                                  Entropy (8bit):1.2821169115998763
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:e30eOO87CKiOfvGDR2j+YA5cFXFkHdOruF:dOzfDq+
                                                                                                  MD5:2ED127ED6404E872F4A1A66A5B4A3C8B
                                                                                                  SHA1:DA707FFA26EB3123D1E29124D59AA5EC79868623
                                                                                                  SHA-256:8D427713B9ADF435FA18547838EDF53126D4717057875575F692A3C69A00A806
                                                                                                  SHA-512:F3C99F2EBE2FF3BA5711757E170ECF0ABDD6ACC76FCD93B8AC95E03EABE3C192A2339FA65339812980649DD1F47AAC6EF2E9CE7826F24B64FB964B2D58C5E716
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:.D..... ........=......J}...0...{........................"..........{.......{..h.$..........................3.s.0...{..............................................................................................c...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{;...................................E......{..................k..a.....{...........................#......h.$.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\bhvD249.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xc9448cc7, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20447232
                                                                                                  Entropy (8bit):1.2821169115998763
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:e30eOO87CKiOfvGDR2j+YA5cFXFkHdOruF:dOzfDq+
                                                                                                  MD5:2ED127ED6404E872F4A1A66A5B4A3C8B
                                                                                                  SHA1:DA707FFA26EB3123D1E29124D59AA5EC79868623
                                                                                                  SHA-256:8D427713B9ADF435FA18547838EDF53126D4717057875575F692A3C69A00A806
                                                                                                  SHA-512:F3C99F2EBE2FF3BA5711757E170ECF0ABDD6ACC76FCD93B8AC95E03EABE3C192A2339FA65339812980649DD1F47AAC6EF2E9CE7826F24B64FB964B2D58C5E716
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview:.D..... ........=......J}...0...{........................"..........{.......{..h.$..........................3.s.0...{..............................................................................................c...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{;...................................E......{..................k..a.....{...........................#......h.$.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\qvsnmq

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2
                                                                                                  Entropy (8bit):1.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                  Malicious:false
                                                                                                  Reputation:high, very likely benign file
                                                                                                  Preview:..

                                                                                                  C:\Users\user\AppData\Roaming\remcos\logs.dat

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):144
                                                                                                  Entropy (8bit):6.59496675477933
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:72i8hWk9/B8l8TjZCHcy7eJgc2sllBeNc8Cyys1AswGb+ja9XQbK:ii05TykRENu61Am+jG
                                                                                                  MD5:23269DB23E5213B5918E9893182EEA91
                                                                                                  SHA1:ECD4BF9F5C1F3EB793E73F639B3C04AFCE8EF585
                                                                                                  SHA-256:13D29E838A55A13ED7618F158EF711E513CA55E73EB34F680F4B855D9E145A77
                                                                                                  SHA-512:1B7D20D7C095AF3250C0199F8309F070C6DB4408029B80A4BACF9109321181183C64BF31B910B1802B5C832E7DB2915CB4DB664658768B43D8826B56318C0215
                                                                                                  Malicious:true
                                                                                                  Preview:D.....f..y.......$.V..s8....zA....N#TPhs.....................^D.9....[.,`.,....|..,8.Z+...;.9.kH...>e|.@.A....%.#..?......=r.A~_......

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Entropy (8bit):6.5920759138658545
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                  File name:17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                                                                                                  File size:480'768 bytes
                                                                                                  MD5:7f2ebe83b860a8de1f3ce798c79b5935
                                                                                                  SHA1:3fbea97a5aa637271311851fd152ee37e813c44f
                                                                                                  SHA256:fd125d03b2bc8512a9a5dcc6df9ca5045208442bc047af50b5f0a359103c1ba8
                                                                                                  SHA512:38645cfa1e5826f06c21c09ba3a3fd11447abea0e66bd281722e9987ea501848086a87e327f689e1282b8532589c75fab182a6777f286030dd5231627038555c
                                                                                                  SSDEEP:12288:umnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSln9:WiLJbpI7I2WhQqZ7l9
                                                                                                  TLSH:D4A4AE02BAD2C072D57161344D2AE735DABDBC212835997BB3E61D5BFD30180A73A7B2
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..!...r...r...r.S r...r.S"r...r.S#r...r..Ur...r.o.r...r...s...r...s<..r...s$..r..Br...r...r*..r...sg..r...r...r...s...rRich...

                                                                                                  File Icon

                                                                                                  Icon Hash:95694d05214c1b33

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x4327a4
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                  Time Stamp:0x63011007 [Sat Aug 20 16:47:03 2022 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:5
                                                                                                  OS Version Minor:1
                                                                                                  File Version Major:5
                                                                                                  File Version Minor:1
                                                                                                  Subsystem Version Major:5
                                                                                                  Subsystem Version Minor:1
                                                                                                  Import Hash:5d354883fe6f15fcf48045037a99fb7a

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  call 00007F83E8AF51B7h
                                                                                                  jmp 00007F83E8AF4C03h
                                                                                                  push ebp
                                                                                                  mov ebp, esp
                                                                                                  sub esp, 00000324h
                                                                                                  push ebx
                                                                                                  push esi
                                                                                                  push 00000017h
                                                                                                  call 00007F83E8B1688Fh
                                                                                                  test eax, eax
                                                                                                  je 00007F83E8AF4D77h
                                                                                                  mov ecx, dword ptr [ebp+08h]
                                                                                                  int 29h
                                                                                                  xor esi, esi
                                                                                                  lea eax, dword ptr [ebp-00000324h]
                                                                                                  push 000002CCh
                                                                                                  push esi
                                                                                                  push eax
                                                                                                  mov dword ptr [0046ED04h], esi
                                                                                                  call 00007F83E8AF71C2h
                                                                                                  add esp, 0Ch
                                                                                                  mov dword ptr [ebp-00000274h], eax
                                                                                                  mov dword ptr [ebp-00000278h], ecx
                                                                                                  mov dword ptr [ebp-0000027Ch], edx
                                                                                                  mov dword ptr [ebp-00000280h], ebx
                                                                                                  mov dword ptr [ebp-00000284h], esi
                                                                                                  mov dword ptr [ebp-00000288h], edi
                                                                                                  mov word ptr [ebp-0000025Ch], ss
                                                                                                  mov word ptr [ebp-00000268h], cs
                                                                                                  mov word ptr [ebp-0000028Ch], ds
                                                                                                  mov word ptr [ebp-00000290h], es
                                                                                                  mov word ptr [ebp-00000294h], fs
                                                                                                  mov word ptr [ebp-00000298h], gs
                                                                                                  pushfd
                                                                                                  pop dword ptr [ebp-00000264h]
                                                                                                  mov eax, dword ptr [ebp+04h]
                                                                                                  mov dword ptr [ebp-0000026Ch], eax
                                                                                                  lea eax, dword ptr [ebp+04h]
                                                                                                  mov dword ptr [ebp-00000260h], eax
                                                                                                  mov dword ptr [ebp-00000324h], 00010001h
                                                                                                  mov eax, dword ptr [eax-04h]
                                                                                                  push 00000050h
                                                                                                  mov dword ptr [ebp-00000270h], eax
                                                                                                  lea eax, dword ptr [ebp-58h]
                                                                                                  push esi
                                                                                                  push eax
                                                                                                  call 00007F83E8AF7139h

                                                                                                  Rich Headers

                                                                                                  Programming Language:
                                                                                                  • [C++] VS2008 SP1 build 30729
                                                                                                  • [IMP] VS2008 SP1 build 30729

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6ba580xf0.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x4ab0.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x39ac.reloc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x69f100x38.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x69fa40x18.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x69f480x40.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x560000x4ac.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x10000x5434b0x54400d720cbda6f644b704b35ac907cc56d49False0.574827290430267data6.624462527244835IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  .rdata0x560000x173920x174007f74ade58c43b15ee0754893e037c956False0.5001050067204301data5.8556949326481496IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .data0x6e0000x5c2c0xe00121423e4a98fa367c6f6bf7e0478d052False0.21986607142857142data2.967957166860955IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .tls0x740000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .gfids0x750000x2300x400c42969612e5c912b6c5d217fb5c3eeb3False0.3203125data2.368295399421673IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .rsrc0x760000x4ab00x4c00a2615f95a3648aa52cfe4691415d7927False0.275390625data3.982792566197081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0x7b0000x39ac0x3a00fdc450eb9b0c8ffc8324fb61b541b328False0.7665005387931034data6.71659520483491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                  RT_ICON0x7618c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                                                                                  RT_ICON0x765f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                                                                                  RT_ICON0x76f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                                                                                  RT_ICON0x780240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                                                                                  RT_RCDATA0x7a5cc0x4a1data1.009282700421941
                                                                                                  RT_GROUP_ICON0x7aa700x3edataEnglishUnited States0.8064516129032258

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  KERNEL32.dllCopyFileW, CreateMutexA, GetLocaleInfoA, CreateToolhelp32Snapshot, OpenMutexA, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetCurrentProcess, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FormatMessageA, AllocConsole, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, GetLongPathNameW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetStdHandle, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, ExpandEnvironmentStringsA, FindNextFileA, FindFirstFileA, GetFileSize, TerminateThread, GetLastError, SetFileAttributesW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, CreateDirectoryW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, ExitProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, QueryPerformanceCounter, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                                                                                                  USER32.dllCallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, DrawIcon, GetSystemMetrics, GetIconInfo, SystemParametersInfoW, GetCursorPos, RegisterClassExA, AppendMenuA, mouse_event, CreateWindowExA, DefWindowProcA, TrackPopupMenu, CreatePopupMenu, EnumDisplaySettingsW, SendInput, CloseWindow, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible
                                                                                                  GDI32.dllCreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA
                                                                                                  ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                                                                                                  SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                                                                                  SHLWAPI.dllStrToIntA, PathFileExistsW, PathFileExistsA
                                                                                                  WINMM.dllwaveInPrepareHeader, waveInStop, waveInUnprepareHeader, mciSendStringA, PlaySoundW, waveInOpen, waveInStart, waveInAddBuffer, waveInClose, mciSendStringW
                                                                                                  WS2_32.dllWSAGetLastError, recv, connect, socket, send, WSAStartup, closesocket, inet_ntoa, gethostbyname, WSASetLastError, inet_addr, gethostbyaddr, getservbyport, ntohs, getservbyname, htons, htonl
                                                                                                  urlmon.dllURLDownloadToFileW, URLOpenBlockingStreamW
                                                                                                  gdiplus.dllGdiplusStartup, GdipGetImageEncoders, GdipCloneImage, GdipAlloc, GdipDisposeImage, GdipFree, GdipGetImageEncodersSize, GdipSaveImageToStream, GdipLoadImageFromStream
                                                                                                  WININET.dllInternetOpenUrlW, InternetCloseHandle, InternetReadFile, InternetOpenW

                                                                                                  Possible Origin

                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                  EnglishUnited States

                                                                                                  Network Behavior

                                                                                                  Suricata IDS Alerts

                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2024-12-06T10:07:13.372160+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449730154.216.20.2449005TCP
                                                                                                  2024-12-06T10:07:16.004490+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449731178.237.33.5080TCP
                                                                                                  2024-12-06T10:08:43.186058+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449809154.216.20.2449005TCP
                                                                                                  2024-12-06T10:08:43.530013+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449811154.216.20.2449005TCP
                                                                                                  2024-12-06T10:08:57.389539+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449844154.216.20.2449005TCP
                                                                                                  2024-12-06T10:09:08.389525+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449870154.216.20.2449005TCP
                                                                                                  2024-12-06T10:09:28.842942+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449915154.216.20.2449005TCP
                                                                                                  2024-12-06T10:09:33.139924+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449925154.216.20.2449005TCP
                                                                                                  2024-12-06T10:11:18.422682+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450010154.216.20.2449005TCP
                                                                                                  2024-12-06T10:11:18.625669+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450011154.216.20.2449005TCP

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Dec 6, 2024 10:07:11.892421961 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:07:12.012300968 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:07:12.012459993 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:07:12.030286074 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:07:12.150077105 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:07:13.318244934 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:07:13.372159958 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:07:13.555063009 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:07:13.559622049 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:07:13.679372072 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:07:13.679517031 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:07:13.799633026 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:07:14.236644030 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:07:14.238256931 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:07:14.358127117 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:07:14.428570032 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:07:14.481391907 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:07:14.640276909 CET4973180192.168.2.4178.237.33.50
                                                                                                  Dec 6, 2024 10:07:14.760015965 CET8049731178.237.33.50192.168.2.4
                                                                                                  Dec 6, 2024 10:07:14.760138988 CET4973180192.168.2.4178.237.33.50
                                                                                                  Dec 6, 2024 10:07:14.763222933 CET4973180192.168.2.4178.237.33.50
                                                                                                  Dec 6, 2024 10:07:14.882987022 CET8049731178.237.33.50192.168.2.4
                                                                                                  Dec 6, 2024 10:07:16.004169941 CET8049731178.237.33.50192.168.2.4
                                                                                                  Dec 6, 2024 10:07:16.004489899 CET4973180192.168.2.4178.237.33.50
                                                                                                  Dec 6, 2024 10:07:16.036640882 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:07:16.156374931 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:07:17.004843950 CET8049731178.237.33.50192.168.2.4
                                                                                                  Dec 6, 2024 10:07:17.004930973 CET4973180192.168.2.4178.237.33.50
                                                                                                  Dec 6, 2024 10:07:44.658447027 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:07:44.660393953 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:07:44.780658007 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:15.096643925 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:15.098114014 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:15.217974901 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:41.704703093 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:41.706267118 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:41.795330048 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:41.826375961 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:41.827383041 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:41.831305981 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:41.896809101 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:41.907886982 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:41.951181889 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:41.998476028 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:42.027753115 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:42.030366898 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:42.033924103 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:42.155493975 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:43.140542984 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:43.186058044 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:43.338222027 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:43.373008013 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:43.378762007 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:43.498477936 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:43.502985001 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:43.530013084 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:43.572822094 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:43.607027054 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:43.622828960 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:43.726953030 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:43.730329037 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:43.850332975 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.145448923 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:44.265748024 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.265780926 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.265790939 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.265800953 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.265845060 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:44.265856981 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.265877008 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:44.265902996 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:44.265909910 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.265947104 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:44.265963078 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.265973091 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.266074896 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.266088009 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.386003017 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.386029005 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.386050940 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.386061907 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.386104107 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.386162043 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.386176109 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.386274099 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.389491081 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:44.509296894 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:44.810903072 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.045454979 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:45.150866032 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:45.152295113 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:45.270776987 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.270792007 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.270832062 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.270868063 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.270953894 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.270965099 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.271037102 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.271047115 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.271101952 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.271135092 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.271205902 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.271217108 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.271274090 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.271310091 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.272006035 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.272028923 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.272151947 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.272176981 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.272224903 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.405595064 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:45.525531054 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.565648079 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.568326950 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:45.688083887 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.827032089 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:45.914686918 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:46.423336029 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:46.543121099 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.606093884 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:46.607359886 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:46.725951910 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.725969076 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.725989103 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.726006031 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.726082087 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.726138115 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.726237059 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.726247072 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.726296902 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.726361990 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.726389885 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.726425886 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.726505041 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.726566076 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.727216959 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.727348089 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.727359056 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.727438927 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.727488995 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.727555990 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.727586985 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.727714062 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.845570087 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:46.956486940 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:47.150080919 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:47.151361942 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:47.270158052 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.270198107 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.270252943 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.270283937 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.270322084 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.270375013 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.270404100 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.270436049 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.270504951 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.270531893 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.270565033 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.270633936 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.270663023 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.270704031 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.271389961 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.271473885 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.271507025 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.271661043 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.271688938 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.271745920 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.271775007 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.271810055 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.436440945 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:47.556282043 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:47.858831882 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.045432091 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:48.375047922 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:48.376478910 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:48.452277899 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:48.495027065 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.495043039 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.495174885 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.495198011 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.495330095 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.495338917 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.495414019 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.495424032 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.495460987 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.495517969 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.495718002 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.495727062 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.495754957 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.495810986 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.496275902 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.496330023 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.496372938 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.496381998 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.496457100 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.496467113 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.496546984 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.496557951 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.572149038 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:48.873512983 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.045464039 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:49.187053919 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:49.188489914 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:49.306896925 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.306924105 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.307008028 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.307027102 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.307109118 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.307126999 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.307265997 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.307276964 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.307353020 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.307362080 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.307462931 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.307483912 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.307614088 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.307657957 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.308176994 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.308275938 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.308288097 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.308366060 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.308377981 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.308490038 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.308500051 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.308511972 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.467644930 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:49.587507010 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.888714075 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:49.990508080 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:49.992012978 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:50.110635996 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.110666990 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.110739946 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.110771894 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.110802889 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.110848904 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.110919952 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.110943079 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.111008883 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.111049891 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.111171961 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.111181021 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.111268997 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.111293077 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.111857891 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.111959934 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.111968994 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.111979008 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.112066031 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.112076998 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.112159967 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.112171888 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.483448029 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:50.603230953 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.905881882 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:50.960067034 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:50.961749077 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:51.079884052 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.079900026 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.079910994 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.079968929 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.080050945 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.080061913 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.080127954 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.080149889 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.080221891 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.080230951 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.080280066 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.080316067 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.080426931 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.080436945 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.081628084 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.081656933 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.081737041 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.081753969 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.081851959 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.081870079 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.081928968 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.081978083 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.499161005 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:51.619584084 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.920985937 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:51.968508005 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:51.970144033 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:52.088324070 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.088346958 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.088485003 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.088500023 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.088586092 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.088596106 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.088613987 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.088624001 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.088694096 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.088705063 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.088774920 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.088783979 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.088846922 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.088958025 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.090039015 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.090085983 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.090131998 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.090141058 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.090203047 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.090234041 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.090289116 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.090298891 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.515197992 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:52.635078907 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.936367035 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:52.983668089 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:52.985066891 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:53.103513002 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.103538990 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.103637934 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.103647947 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.103749037 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.103758097 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.103789091 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.103815079 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.103877068 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.103948116 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.104022980 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.104135990 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.104176998 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.104222059 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.104914904 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.104924917 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.104985952 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.105012894 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.105124950 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.105134010 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.105176926 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.105221033 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.530132055 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:53.649954081 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:53.951369047 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.014909029 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:54.016258001 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:54.135782003 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.135797977 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.135834932 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.135843992 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.135881901 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.135916948 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.136039972 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.136049032 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.136127949 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.136137962 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.136159897 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.136178017 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.136236906 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.136245966 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.136611938 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.136621952 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.136718035 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.136727095 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.136749029 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.136758089 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.136796951 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.136887074 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.546169996 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:54.666414976 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:54.967477083 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.029587984 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:55.030975103 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:55.149441004 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.149449110 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.149558067 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.149571896 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.149646044 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.149665117 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.149797916 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.149808884 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.149887085 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.149904966 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.149955034 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.150012016 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.150057077 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.150067091 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.150712967 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.150753975 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.150862932 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.150872946 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.150907993 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.150979042 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.151120901 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.151164055 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.561641932 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:55.681426048 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.745395899 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.747112036 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:55.866991997 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.868652105 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:55.873439074 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:55.889312983 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:55.983129025 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:55.993165970 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.047820091 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:56.049426079 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:56.167634964 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.167678118 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.167687893 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.167851925 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.167866945 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.167885065 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.167892933 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.167956114 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.167969942 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.168056011 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.168066025 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.168106079 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.168134928 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.168167114 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.169141054 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.169199944 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.169209003 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.169245958 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.169296980 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.169349909 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.169426918 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.169436932 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:56.577181101 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:56.696894884 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.037466049 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.083271980 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:57.084780931 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:57.172765970 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.203124046 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.203146935 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.203183889 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.203226089 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.203270912 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.203324080 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.203387976 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.203430891 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.203522921 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.203532934 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.203560114 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.203613997 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.203713894 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.203723907 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.204476118 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.204560041 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.204570055 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.204581976 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.204660892 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.204679012 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.204762936 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.204771996 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.389539003 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:57.409097910 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.413810015 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:57.533586025 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.538574934 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:57.592837095 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:57.658776045 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:57.717108965 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.014744043 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.014780045 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.014795065 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.014848948 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.014925957 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.014939070 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.014950991 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.014965057 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.014995098 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.015032053 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.015086889 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.015424013 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.016401052 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.023320913 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.023401976 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.023509979 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.031846046 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.031884909 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.031941891 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.095024109 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.096434116 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.134727001 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.134742022 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.134855986 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.206614017 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.206707954 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.206782103 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.210519075 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.210618019 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.210668087 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.215029955 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.215055943 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.215250015 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.215281010 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.215405941 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.215472937 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.215574026 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.215651035 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.215739965 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.215780973 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.215910912 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.216358900 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.216470003 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.216522932 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.216613054 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.216676950 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.216706991 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.216862917 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.216873884 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.217005968 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.217075109 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.217143059 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.218468904 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.221417904 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.221498013 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.221514940 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.229451895 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.229484081 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.229546070 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.237447023 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.237799883 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.237879038 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.245378017 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.245435953 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.245476961 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.253334999 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.253390074 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.253511906 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.261389971 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.261554956 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.262218952 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.269912958 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.269983053 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.270014048 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.277331114 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.277461052 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.277515888 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.284559965 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.284607887 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.284662962 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.315108061 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.315181017 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.315190077 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.318548918 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.318761110 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.398586035 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.398737907 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.399127007 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.401073933 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.401197910 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.401253939 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.405724049 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.405822039 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.405962944 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.410522938 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.410634041 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.410715103 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.415285110 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.415360928 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.415519953 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.419826031 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.419881105 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.420023918 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.424453974 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.424614906 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.424803972 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.428905964 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.429023981 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.429075956 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.433501959 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.433712959 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.433767080 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.438062906 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.438193083 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.438251019 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.442630053 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.442743063 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.442800045 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.447145939 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.447251081 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.447355032 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.451754093 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.451859951 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.452039003 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.456291914 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.456428051 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.456491947 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.460808992 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.460922003 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.461056948 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.465399981 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.465470076 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.465612888 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.470123053 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.470136881 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.470257044 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.474524021 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.474675894 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.474814892 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.479088068 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.479182005 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.479294062 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.483705044 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.483735085 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.483850956 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.488220930 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.488318920 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.488487005 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.492734909 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.492793083 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.492999077 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.519048929 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.519069910 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.519139051 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.521174908 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.521451950 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.521508932 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.525721073 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.590616941 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.590671062 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.590712070 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.592137098 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.592184067 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.592739105 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.592839003 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.592888117 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.595870972 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.596606016 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.596662045 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.598988056 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.600063086 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.600106001 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.602133989 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.602230072 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.602272034 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.605122089 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.605247021 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.605299950 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.608184099 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.608298063 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.608400106 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.611172915 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.611368895 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.611422062 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.614007950 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.614204884 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.614253044 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.616925001 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.617039919 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.617096901 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.619946957 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.619993925 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.620050907 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.622587919 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.622740030 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.622781992 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.625339985 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.625425100 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.625468016 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.628087997 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.628196955 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.628246069 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.630845070 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.630994081 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.631042004 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.633616924 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.633708000 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.633759022 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.634644985 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.636332035 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.636452913 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.636502028 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.639106035 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.639240026 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.639282942 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.641891003 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.641990900 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.642036915 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.644735098 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.644845963 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.644908905 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.646634102 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.646750927 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.646800995 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.648444891 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.648515940 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.648566008 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.650300980 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.650527954 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.650576115 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.652158976 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.652281046 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.652327061 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.654103994 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.654167891 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.654215097 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.655915022 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.656023979 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.656069040 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.657826900 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.657886982 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.657932043 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.659668922 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.659868956 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.659928083 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.661649942 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.661663055 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.661719084 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.663372040 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.663538933 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.663597107 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.665297985 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.665390968 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.665430069 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.667118073 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.667349100 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.667392969 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.669001102 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.669106007 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.669154882 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.670909882 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.670978069 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.671020031 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.672756910 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.672777891 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.672827959 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.674631119 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.674804926 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.674851894 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.676400900 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.699301958 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.699446917 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.699481010 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.700162888 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.700221062 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.700267076 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.702091932 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.702135086 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.702191114 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.704035997 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.704078913 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.704111099 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.705717087 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.705761909 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.705794096 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.754378080 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.782608032 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.782675028 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.782712936 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.783478975 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.783526897 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.783711910 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.783833981 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.783881903 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.785453081 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.785573959 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.785617113 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.787069082 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.787091017 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.787132025 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.788619995 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.788670063 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.788716078 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.790215969 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.790319920 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.790361881 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.791810036 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.791889906 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.791928053 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.793354988 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.793515921 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.793559074 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.794898033 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.795073032 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.795118093 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.796365023 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.796456099 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.796495914 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.797847986 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.797877073 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.797916889 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.799263000 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.799395084 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.799442053 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.800743103 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.800875902 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.800925016 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.802203894 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.802330971 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.802385092 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.803695917 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.803847075 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.803891897 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.805078983 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.805269003 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.805320978 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.806519032 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.806550026 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.806596994 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.808010101 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.808129072 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.808173895 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.809443951 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.809590101 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.809638977 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.810866117 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.811006069 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.811048985 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.812349081 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.812455893 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.812498093 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.813767910 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.813875914 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.813921928 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.815275908 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.815448046 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.815499067 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.816708088 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.816833973 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.816884995 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.818152905 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.818224907 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.818270922 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.819574118 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.819684029 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.819734097 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.821053982 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.821152925 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.821197033 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.822443962 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.822577000 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.822622061 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.823999882 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.824100018 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.824145079 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.825402975 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.825476885 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.825520039 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.826833010 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.826932907 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.826975107 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.828284025 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.828382015 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.828422070 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.829762936 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.829843998 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.829890966 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.831173897 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.831267118 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.831310034 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.832624912 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.832679987 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.832722902 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.834081888 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.834152937 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.834189892 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.835550070 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.835685015 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.835726023 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.837012053 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.837095022 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.837152958 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.838404894 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.838485003 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.838530064 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.839997053 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.840058088 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.840107918 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.841320992 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.841404915 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.841453075 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.842784882 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.842909098 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.842959881 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.844253063 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.844355106 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.844394922 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.845680952 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.845809937 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.845870972 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.847137928 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.847237110 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.847290039 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.848567963 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.848658085 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.848717928 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.849989891 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.891390085 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.891436100 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.891566992 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.892132998 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.892195940 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.892206907 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.893567085 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.893611908 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.893668890 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.895020962 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.895076036 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.895128012 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.896460056 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.896509886 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.896517992 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.897958994 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.898014069 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.898057938 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.899343014 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.899399042 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.899414062 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.975023031 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.975092888 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.975193024 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.975533009 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.975579023 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.975688934 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.976751089 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.976808071 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.976815939 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.977889061 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.977938890 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.977966070 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.978914022 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.978980064 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.979027987 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.979994059 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.980063915 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.980202913 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.981246948 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.981293917 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.981328964 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.982206106 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.982253075 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.982261896 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.983139038 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.983191013 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.983200073 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.984144926 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.984208107 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.984282970 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.985244989 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.985299110 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.985336065 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.986277103 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.986327887 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.986377954 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.987432957 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.987478018 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.987485886 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.988508940 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.988554955 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.988636017 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.989554882 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.989608049 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.989620924 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.990463018 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.990515947 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.990586042 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.991485119 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.991542101 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.991617918 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.992613077 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.992677927 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.992716074 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.993628025 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.993688107 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.993745089 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.994673967 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.994731903 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.994767904 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.995739937 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.995798111 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.995863914 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.996786118 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.996839046 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.996891022 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.997965097 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.998019934 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.998039007 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.998989105 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:58.999042034 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:58.999114990 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.000010967 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.000052929 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.000098944 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.001070023 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.001118898 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.001183033 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.002129078 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.002188921 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.002248049 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.003196955 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.003248930 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.003326893 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.004287004 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.004300117 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.004336119 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.005296946 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.005341053 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.005441904 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.006370068 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.006413937 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.006463051 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.007505894 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.007524967 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.007555008 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.008495092 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.008543968 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.008616924 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.009569883 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.009612083 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.009711981 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.010710001 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.010757923 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.010926008 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.011712074 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.011756897 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.011821985 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.012758970 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.012804031 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.012891054 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.013895035 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.013940096 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.014013052 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.014924049 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.014971018 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.015101910 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.015986919 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.016030073 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.016099930 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.017030001 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.017069101 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.017077923 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.018040895 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.018085003 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.018143892 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.019165039 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.019216061 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.019220114 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.020235062 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.020279884 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.020318031 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.021323919 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.021363974 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.021377087 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.056147099 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.101131916 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.102674961 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.186218977 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.221103907 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.221182108 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.221194029 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.221203089 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.221282005 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.221292019 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.221309900 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.221319914 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.221431971 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.221502066 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.221618891 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.221630096 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.221654892 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.221710920 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.222487926 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.222511053 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.222522020 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.222569942 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.222614050 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.222636938 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.222702980 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.222738981 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:08:59.662672043 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:08:59.782478094 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.092873096 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.140621901 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:00.146584034 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:00.260952950 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.260993958 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.261040926 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.261074066 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.261167049 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.261214972 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.261277914 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.261343002 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.261425972 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.261473894 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.261579037 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.261672974 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.261707067 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.261719942 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.266452074 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.266495943 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.266578913 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.266597033 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.266676903 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.266730070 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.266844988 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.266866922 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:00.672127008 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:00.791961908 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.093657970 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.137876034 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:01.163669109 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:01.165005922 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:01.254746914 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:01.254959106 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:01.283777952 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.283797026 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.283845901 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.283858061 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.283967972 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.283998013 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.284096956 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.284141064 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.284235001 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.284244061 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.284317017 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.284365892 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.284496069 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.284568071 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.284950018 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.285036087 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.285300970 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.285475016 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.285547972 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.285629988 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.285696983 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.285721064 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.374958038 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.375516891 CET900549844154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:01.375597954 CET498449005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:01.736761093 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:01.856750965 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.158344984 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.217714071 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:02.218980074 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:02.337676048 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.337693930 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.337745905 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.337754965 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.337838888 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.337881088 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.337960005 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.338016033 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.338080883 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.338109016 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.338223934 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.338247061 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.338330984 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.338387966 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.338738918 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.338767052 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.338932037 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.338941097 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.339003086 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.339011908 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.339073896 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.339193106 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:02.750350952 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:02.870166063 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.171447039 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.217987061 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:03.219295025 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:03.337874889 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.337949991 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.338018894 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.338123083 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.338133097 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.338177919 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.338236094 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.338294029 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.338334084 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.338442087 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.338450909 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.338535070 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.338551998 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.338660955 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.339083910 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.339132071 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.339266062 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.339277029 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.339329004 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.339370966 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.339474916 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.339484930 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:03.769009113 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:03.888931036 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.190844059 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.233217001 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:04.387983084 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:04.391154051 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:04.487554073 CET4973180192.168.2.4178.237.33.50
                                                                                                  Dec 6, 2024 10:09:04.508004904 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.508019924 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.508045912 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.508055925 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.508105040 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.508121967 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.508207083 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.508268118 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.508414030 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.508423090 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.508441925 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.508451939 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.508490086 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.508708000 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.510912895 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.510967970 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.510977983 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.511065960 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.511075974 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.511107922 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.511136055 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.511184931 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:04.784106970 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:04.842556953 CET4973180192.168.2.4178.237.33.50
                                                                                                  Dec 6, 2024 10:09:04.903920889 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.205512047 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.249300957 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:05.250581980 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:05.369406939 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.369450092 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.369579077 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.369643927 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.369847059 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.369857073 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.369955063 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.369985104 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.370102882 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.370162010 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.370300055 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.370361090 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.370604038 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.370673895 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.370714903 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.370847940 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.370858908 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.371088982 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.371100903 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.371201038 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.371212006 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.371329069 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:05.530086994 CET4973180192.168.2.4178.237.33.50
                                                                                                  Dec 6, 2024 10:09:05.797060966 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:05.918041945 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.219674110 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.265362978 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:06.266689062 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:06.385731936 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.385752916 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.385775089 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.385785103 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.385885954 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.385904074 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.385926962 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.385936975 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.385974884 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.386019945 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.386096954 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.386130095 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.386214018 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.386271000 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.386643887 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.386715889 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.386751890 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.386854887 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.386907101 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.386957884 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.386986017 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.387058020 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.780996084 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.784452915 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:06.818845034 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:06.842638969 CET4973180192.168.2.4178.237.33.50
                                                                                                  Dec 6, 2024 10:09:06.889647961 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:06.904210091 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:06.905522108 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:06.922971010 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:06.938673973 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.043320894 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.256057978 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.329113960 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:07.330616951 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:07.449335098 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.449347973 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.449369907 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.449424982 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.449557066 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.449595928 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.449670076 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.449708939 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.449752092 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.449800968 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.449888945 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.449932098 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.450050116 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.450134039 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.450550079 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.450568914 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.450649023 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.450658083 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.450752974 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.450762033 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.450846910 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.450855970 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:07.827258110 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:07.947174072 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.211234093 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.248745918 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.313235998 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:08.314574957 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:08.389524937 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:08.433284998 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.433300018 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.433377981 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.433418036 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.433540106 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.433602095 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.433828115 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.433836937 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.433845997 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.433965921 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.433975935 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.433979988 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.434000969 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.434010029 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.434293032 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.434302092 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.434376001 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.434468031 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.434551001 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.445215940 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.449774981 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:08.569550991 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.570703983 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:08.690413952 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:08.843107939 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:08.963005066 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.060782909 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.060800076 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.060827017 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.060858965 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.060885906 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.060906887 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.060921907 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.060931921 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.060942888 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.060956955 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.060985088 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.061065912 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.061074018 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.069257021 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.069307089 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.069309950 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.169425011 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.169478893 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.180825949 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.180902958 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.180988073 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.252917051 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.252933979 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.253022909 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.257074118 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.257093906 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.257149935 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.264547110 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.265583992 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.265595913 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.265691042 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.274112940 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.274230003 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.274321079 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.282537937 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.282627106 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.282701969 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.290996075 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.291090012 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.291238070 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.299487114 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.299577951 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.299700022 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.307944059 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.308006048 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.308108091 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.316435099 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.316521883 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.316620111 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.319803953 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.321070910 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.325047016 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.342644930 CET4973180192.168.2.4178.237.33.50
                                                                                                  Dec 6, 2024 10:09:09.361399889 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.361495972 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.361607075 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.364933968 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.365111113 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.365168095 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.371906042 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.374701977 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.440133095 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.440146923 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.440190077 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.440207005 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.440500975 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.440637112 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.440757036 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.440819025 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.440989971 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.441003084 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.441082001 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.441131115 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.441467047 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.441476107 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.441485882 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.441728115 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.442437887 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.444967985 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.445066929 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.445152044 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.447637081 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.447829962 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.447949886 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.452904940 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.452969074 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.453022003 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.457961082 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.458065033 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.458251953 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.463202953 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.463222980 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.463284016 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.468327045 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.468357086 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.468430996 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.473548889 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.473627090 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.473697901 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.478526115 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.478632927 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.478692055 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.483659983 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.483841896 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.483907938 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.488806009 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.489011049 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.489074945 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.493971109 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.494054079 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.494112968 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.499090910 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.499206066 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.499268055 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.504307032 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.504364967 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.504431009 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.509403944 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.509505033 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.509572029 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.515023947 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.515213966 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.515273094 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.519834042 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.519956112 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.520013094 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.525017023 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.525031090 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.525098085 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.530119896 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.530145884 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.530229092 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.553613901 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.553633928 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.553734064 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.556133986 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.556150913 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.556225061 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.561249018 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.561269045 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.561362028 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.566272974 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.566546917 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.566622019 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.571449995 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.571489096 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.571563005 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.636955023 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.637080908 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.637139082 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.638670921 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.639235020 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.639290094 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.642020941 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.642035007 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.642083883 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.645263910 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.645489931 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.645550966 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.648592949 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.648725033 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.648838043 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.651977062 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.651989937 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.652061939 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.654952049 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.655087948 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.655133009 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.658221006 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.658232927 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.658291101 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.661231995 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.661412954 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.661487103 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.664235115 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.664378881 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.664438963 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.667491913 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.667617083 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.667690992 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.670455933 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.670485020 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.670593023 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.673517942 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.673635960 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.673692942 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.676656008 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.676671028 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.676728010 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.679842949 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.679862022 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.679933071 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.682753086 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.682869911 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.682921886 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.685781002 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.685839891 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.686033964 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.688824892 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.688895941 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.688956022 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.691915989 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.692011118 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.692198992 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.695002079 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.695106030 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.695179939 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.698046923 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.698165894 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.698221922 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.701145887 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.701340914 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.701400995 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.704220057 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.704283953 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.704555035 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.707196951 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.707228899 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.707289934 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.710237026 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.710428953 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.710486889 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.713253975 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.713376999 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.713474989 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.716334105 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.716358900 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.716413975 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.757004023 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.757060051 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.757132053 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.758507013 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.758596897 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.758668900 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.761564016 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.761648893 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.762670994 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.764581919 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.764734030 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.766670942 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.767704010 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.767718077 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.767770052 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.770643950 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.770884991 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.770934105 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.773677111 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.773811102 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.774677992 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.776743889 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.776851892 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.778686047 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.779835939 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.780329943 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.780374050 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.783348083 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.829206944 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.829221964 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.829256058 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.830101967 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.830666065 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.830667973 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.832087040 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.832098961 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.832139015 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.834163904 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.834176064 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.834208965 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.836014032 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.838021040 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.838032961 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.838068962 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.838660002 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.840094090 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.840106010 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.840135098 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.842070103 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.842081070 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.842112064 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.844137907 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.844150066 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.844189882 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.845964909 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.845977068 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.846019030 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.847671986 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.847686052 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.847718954 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.849620104 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.849666119 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.849746943 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.851357937 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.853200912 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.853213072 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.853245974 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.853279114 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.853302956 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.855175972 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.855190039 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.855226994 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.856960058 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.856997967 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.857018948 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.858567953 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.858918905 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.858936071 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.858961105 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.860860109 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.860902071 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.860964060 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.862855911 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.862868071 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.862911940 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.864664078 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.864712000 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.864793062 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.866489887 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.866542101 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.866594076 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.868376017 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.868412971 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.868439913 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.870251894 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.870294094 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.870382071 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.872179031 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.872221947 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.872327089 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.874154091 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.874203920 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.874214888 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.875927925 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.875982046 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.876019955 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.877788067 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.877847910 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.877872944 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.879837990 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.879895926 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.879976988 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.881500006 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.881552935 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.881592035 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.883222103 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.883234978 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.883255959 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.884568930 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.884628057 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.884650946 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.886181116 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.886195898 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.886217117 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.887830973 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.887842894 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.887891054 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.889154911 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.889204025 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.889240980 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.890661955 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.890717030 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.890762091 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.892627954 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.892664909 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.892779112 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.894493103 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.894553900 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.894751072 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.896821022 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.896858931 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.897039890 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.898987055 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.899022102 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.899049997 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.900044918 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.900106907 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.900132895 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.901293039 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.901335001 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.901388884 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.902256012 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.902297020 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.937436104 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.937597990 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.937650919 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.938178062 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.938275099 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.938313007 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.939687967 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.939815998 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.939894915 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.941159010 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.941288948 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.941343069 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.942667961 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.942692995 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.942744017 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.944164991 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.944257021 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.944300890 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.945635080 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.945740938 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.945786953 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.947130919 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.947292089 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.947333097 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.948667049 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.948751926 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.948795080 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.950145960 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.950241089 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:09.950278997 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:09.978220940 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.021008968 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.021070004 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.021208048 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.021250963 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.021292925 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.022306919 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.022363901 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.022403955 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.022444963 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.023392916 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.023427010 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.024544001 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.024595022 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.024679899 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.024722099 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.025589943 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.025655985 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.025702000 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.026395082 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.026504040 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.026539087 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.027430058 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.027546883 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.027666092 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.028426886 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.028518915 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.028558016 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.029525042 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.029652119 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.029697895 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.030436993 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.030543089 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.030580997 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.031457901 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.031513929 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.031569004 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.032489061 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.032598019 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.032639980 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.033530951 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.033663034 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.033696890 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.034498930 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.034619093 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.034658909 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.035540104 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.035590887 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.035650969 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.036546946 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.036660910 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.036724091 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.037611961 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.037729979 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.037787914 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.038666964 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.038747072 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.038814068 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.039578915 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.039658070 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.039697886 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.040579081 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.040684938 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.040723085 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.041589975 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.041743040 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.041779995 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.042599916 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.042846918 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.042896986 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.043646097 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.043764114 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.043813944 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.044645071 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.044781923 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.044823885 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.045634985 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.045782089 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.045820951 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.046662092 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.046780109 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.046814919 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.047709942 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.047813892 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.047848940 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.048697948 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.048801899 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.048850060 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.049690008 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.049770117 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.049815893 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.050734043 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.050812960 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.050853968 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.051784992 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.051882982 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.051917076 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.052756071 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.052848101 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.052886963 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.053783894 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.053917885 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.054074049 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.054775000 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.054795027 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.054833889 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.055768013 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.055881977 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.055923939 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.056773901 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.056898117 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.056952953 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.057866096 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.057878971 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.057924032 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.058924913 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.058983088 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.059025049 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.059853077 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.060034037 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.060131073 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.060846090 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.060925961 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.060970068 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.061860085 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.061952114 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.061989069 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.062858105 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.062952995 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.062992096 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.063898087 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.129880905 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.129928112 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.129930019 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.130290985 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.130331039 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.130409002 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.131292105 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.131334066 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.131407976 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.132478952 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.132527113 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.132595062 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.133291006 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.133327961 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.133420944 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.134366989 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.134418011 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.134476900 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.135344028 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.135389090 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.135432959 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.136337996 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.136387110 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.136449099 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.137487888 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.137526989 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.137650967 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.138426065 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.138478994 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.138597965 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.202001095 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.213819981 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.213835001 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.213845968 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.213924885 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.282882929 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.334284067 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.335712910 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.454209089 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.454232931 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.454396963 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.454437971 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.454482079 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.454493046 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.454544067 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.454603910 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.454659939 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.454684019 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.454767942 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.454786062 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.454879999 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.454905987 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.455439091 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.455568075 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.455811977 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:10.874186039 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:10.993928909 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.295474052 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.351088047 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:11.352339029 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:11.471124887 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.471201897 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.471333981 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.471369028 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.471558094 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.471601009 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.471677065 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.471694946 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.471743107 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.471795082 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.471843958 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.471980095 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.471990108 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.471998930 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.472191095 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.472209930 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.472304106 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.472330093 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.472409010 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:11.893183947 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:12.012975931 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.315393925 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.367638111 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:12.369040012 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:12.487535000 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.487555027 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.487618923 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.487656116 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.487734079 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.487777948 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.487884045 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.487910032 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.488023996 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.488068104 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.488177061 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.488195896 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.488321066 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.488347054 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.488868952 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.488888979 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.489142895 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.489249945 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:12.905350924 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:12.999507904 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:12.999701977 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:13.025155067 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.119661093 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.120080948 CET900549870154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.120141983 CET498709005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:13.326581001 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.379065990 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:13.380604982 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:13.561589956 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.561609983 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.561619997 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.561630011 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.561640024 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.561649084 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.561660051 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.561670065 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.561682940 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.564455986 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.564472914 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.564483881 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.564493895 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.564502954 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.564513922 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.564523935 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.564533949 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.564573050 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.564582109 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:13.921013117 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:14.040826082 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.233325005 CET4973180192.168.2.4178.237.33.50
                                                                                                  Dec 6, 2024 10:09:14.342474937 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.530354023 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:14.854327917 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:14.861973047 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:14.936718941 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:14.974193096 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.974206924 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.974217892 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.974257946 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.974318027 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.974328041 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.974421978 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.974457026 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.974559069 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.974636078 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.974687099 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.974742889 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.974814892 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.974824905 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.981851101 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.981900930 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.982058048 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.982114077 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:14.982151985 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.058828115 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.366882086 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.409372091 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:15.410739899 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:15.529402018 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.529436111 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.529618025 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.529629946 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.529701948 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.529752970 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.529885054 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.529896021 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.530092001 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.530103922 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.530138969 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.530169964 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.530307055 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.530364990 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.530438900 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.530808926 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.530878067 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.530941963 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.530992985 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.952385902 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:15.985270977 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:15.991794109 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:16.072036028 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.111890078 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.373529911 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.420314074 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:16.421782970 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:16.540174961 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.540198088 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.540258884 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.540321112 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.540460110 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.540469885 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.540625095 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.540644884 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.540775061 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.540837049 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.540923119 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.540967941 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.541081905 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.541121960 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.541693926 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.541769028 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.541812897 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.541929007 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.541964054 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:16.921171904 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:17.040971994 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.342597008 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.389874935 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:17.391251087 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:17.509927988 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.509948015 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.509959936 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.510001898 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.510059118 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.510091066 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.510212898 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.510221958 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.510274887 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.510354996 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.510436058 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.510505915 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.510552883 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.510562897 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.511039972 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.511070013 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.511152983 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.511226892 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.511310101 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:17.858740091 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:17.978631020 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.280807972 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.325424910 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:18.326694012 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:18.445606947 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.445621014 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.445724964 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.445743084 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.445841074 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.445851088 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.445929050 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.445945978 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.446088076 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.446099043 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.446221113 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.446233034 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.446324110 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.446333885 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.446531057 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.446614981 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.446719885 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.447073936 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.447418928 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:18.764923096 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:18.884800911 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.186363935 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.235543013 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:19.237133980 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:19.355504990 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.355520010 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.355541945 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.355577946 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.355714083 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.355722904 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.355855942 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.355870962 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.355911016 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.355921030 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.356010914 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.356085062 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.356204033 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.356213093 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.356918097 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.356946945 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.357069969 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.357084990 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.357137918 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:19.640366077 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:19.760246992 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.061635017 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.108829021 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:20.110130072 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:20.228641987 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.228666067 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.228737116 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.228806973 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.228847027 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.228887081 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.228965044 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.229055882 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.229134083 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.229177952 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.229315996 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.229351044 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.229427099 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.229454994 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.229976892 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.230026960 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.230077028 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.230212927 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.230274916 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.499306917 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:20.619497061 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.920936108 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:20.989053965 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:20.990976095 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:21.109303951 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.109319925 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.109431028 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.109441042 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.109487057 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.109498978 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.109596014 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.109605074 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.109647989 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.109657049 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.109782934 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.109797001 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.109833956 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.110106945 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.110898972 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.110918045 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.110975027 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.111046076 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.111090899 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.327738047 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:21.447818995 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.748987913 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.796092033 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:21.797399998 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:21.916188955 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.916205883 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.916393042 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.916532040 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.916593075 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.916649103 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.916702032 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.916807890 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.916898966 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.916964054 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.916980028 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.917212009 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.917273998 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.917284012 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.917488098 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.917560101 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.917654037 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.917741060 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:21.917793036 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.124241114 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:22.244338989 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.545628071 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.592803955 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:22.594146967 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:22.712762117 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.712779045 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.712799072 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.712809086 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.712841988 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.712852955 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.712955952 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.712965965 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.712995052 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.713004112 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.713112116 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.713150978 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.713190079 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.713202000 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.713917017 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.713988066 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.714052916 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.714133978 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.714215040 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:22.889903069 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:23.010500908 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.311367035 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.357517004 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:23.358848095 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:23.477555990 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.477607965 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.477627039 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.477757931 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.477767944 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.477811098 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.477926016 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.477963924 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.478087902 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.478099108 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.478107929 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.478127956 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.478197098 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.478238106 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.478626966 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.478640079 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.478830099 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.478897095 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.478992939 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.639874935 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:23.759960890 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:23.840611935 CET4973180192.168.2.4178.237.33.50
                                                                                                  Dec 6, 2024 10:09:24.062117100 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.113682985 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:24.115900040 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:24.233632088 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.233656883 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.234013081 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.234023094 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.234044075 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.234111071 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.234119892 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.234174967 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.234188080 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.234200001 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.234230042 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.234244108 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.234307051 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.234316111 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.235763073 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.235858917 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.236572027 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.358720064 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:24.479883909 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.787360907 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.835350990 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:24.836694956 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:24.955193043 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.955296993 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.955318928 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.955343008 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.955353975 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.955425024 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.955435038 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.955538034 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.955573082 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.955699921 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.955724955 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.955827951 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.955893993 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.955934048 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.956386089 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.956397057 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.956470966 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.956581116 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:24.956681013 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.061789036 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:25.181544065 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.483107090 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.544991016 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:25.546385050 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:25.664879084 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.664892912 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.665003061 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.665049076 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.665184021 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.665244102 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.665347099 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.665390015 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.665529966 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.665539980 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.665684938 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.665707111 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.665837049 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.665848017 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.666232109 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.666241884 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.666351080 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.666403055 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.666472912 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:25.733680964 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:25.853431940 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.154936075 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.217444897 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:26.219026089 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:26.337726116 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.337775946 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.337898016 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.338057995 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.338080883 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.338121891 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.338242054 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.338258982 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.338351965 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.338366032 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.338449955 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.338474035 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.338654995 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.338706017 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.338902950 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.338943005 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.339121103 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.339137077 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.339191914 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.389970064 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:26.510140896 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.914136887 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:26.983195066 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:26.984656096 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:27.015160084 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:27.103372097 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.103445053 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.103499889 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.103621960 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.103749990 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.103760004 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.103818893 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.103904963 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.103971958 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.103981972 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.104142904 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.104161024 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.104295015 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.104305029 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.104492903 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.104676008 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.104687929 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.104855061 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.104868889 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.135168076 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.170207024 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.170274973 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:27.170305014 CET498119005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:27.170780897 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.170919895 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:27.172575951 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.290127993 CET900549811154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.364820957 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.364909887 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:27.367238998 CET499159005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:27.488333941 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.489689112 CET499159005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:27.495626926 CET499159005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:27.615484953 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:27.625927925 CET498099005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:27.745728016 CET900549809154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:28.793942928 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:28.842941999 CET499159005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:29.032840014 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.039361000 CET499159005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:29.110538960 CET499159005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:29.159110069 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.159178019 CET499159005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:29.230577946 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.230595112 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.230607986 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.230684042 CET499159005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:29.230695009 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.230705976 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.230716944 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.230720043 CET499159005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:29.230762959 CET499159005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:29.230804920 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.230926037 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.230936050 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.278970957 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.350686073 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.350698948 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.350775957 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.350794077 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.350922108 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.351064920 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.351146936 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.351280928 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:29.351367950 CET900549915154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:31.565733910 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:31.569530010 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:31.686810970 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:31.689543009 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:31.691159964 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:31.694581985 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:31.814376116 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.001013041 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.139924049 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.237854004 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.274167061 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.370661020 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.394057035 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.394150972 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.490709066 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.490746975 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.490761042 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.490775108 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.490809917 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.490820885 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.490830898 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.490870953 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.490905046 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.490914106 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.490942001 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.490972996 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.491015911 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.491051912 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.491084099 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.491123915 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.514424086 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.514477015 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.610917091 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.610940933 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.610975981 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.611010075 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.611171961 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.611216068 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.611221075 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.611273050 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.611356974 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.611393929 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.611449003 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.611532927 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.611578941 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.611619949 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:33.611629009 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.611707926 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.611783981 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.611857891 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.634345055 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.732537985 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.732811928 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.732903957 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.733078003 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.733227968 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.733314037 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.733406067 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.733506918 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:33.733542919 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.150357962 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.187647104 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:34.189800978 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:34.191867113 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:34.193202972 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:34.307693958 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.307718992 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.307822943 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.307857037 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.307966948 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.308015108 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.308146000 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.308171034 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.308314085 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.308367014 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.308499098 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.308509111 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.308669090 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.308689117 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.309657097 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.309705019 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.309899092 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.309942961 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.310072899 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.310117006 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.310205936 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.310249090 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.310359001 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.310408115 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.310544014 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.310553074 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.310686111 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.310712099 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.311825991 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.311933041 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.311943054 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.312072039 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.312249899 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.312259912 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.312280893 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.312316895 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.312364101 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.312402964 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.312457085 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.312500954 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.312697887 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.312743902 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.313122988 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.313133955 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.313250065 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.313335896 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.313344955 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.313380957 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.313508987 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.313616037 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.313625097 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.720346928 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.775777102 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:34.778637886 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:34.783328056 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:34.786180973 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:34.895819902 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.895837069 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.895910025 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.895920992 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.895994902 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.896006107 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.896101952 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.896107912 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.896209002 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.896219015 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.896342993 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.896425962 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.896436930 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.896660089 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.898391962 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.898422003 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.898550034 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.898600101 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.898694992 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.898711920 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.898818970 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.898828030 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.898889065 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.898941994 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.899045944 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.899148941 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.899341106 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.899352074 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.903230906 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.903265953 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.903379917 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.903389931 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.903480053 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.903496981 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.903601885 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.903646946 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.903748989 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.903794050 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.903826952 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.903836966 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.903924942 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.904011011 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.906049967 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.906101942 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.906270981 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.906291008 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.906430960 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.906440973 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.906462908 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.906557083 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:34.906574011 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.297208071 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.361843109 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:35.371742964 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:35.374670982 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:35.377525091 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:35.379359961 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:35.491638899 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.491653919 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.491666079 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.491960049 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.491970062 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.491981983 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.492041111 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.492077112 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.492234945 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.492244959 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.492362976 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.492397070 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.492526054 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.492675066 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.494589090 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.494607925 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.494810104 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.494820118 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.494927883 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.494981050 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.495119095 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.495127916 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.495284081 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.495310068 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.495440006 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.495484114 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.495615005 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.495668888 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.497617006 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.497687101 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.497816086 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.497852087 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.497982025 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.498039007 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.498158932 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.498260021 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.498414993 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.498433113 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.498554945 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.498608112 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.498733044 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.498760939 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.499224901 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.499286890 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.499350071 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.499486923 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.499496937 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.499507904 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.499617100 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.499648094 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.499747038 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:35.891374111 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.033154964 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:36.033154964 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:36.035301924 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:36.038130999 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:36.040050983 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:36.153109074 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.153127909 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.153146982 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.153156996 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.153167009 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.153405905 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.153415918 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.153425932 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.153435946 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.153629065 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.153639078 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.153649092 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.153660059 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.153669119 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.155072927 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.155199051 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.155210018 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.155220032 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.155452013 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.155479908 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.155657053 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.155667067 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.155678988 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.155688047 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.155702114 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.157943010 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.157955885 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.157965899 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.157969952 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.157983065 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.158168077 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.158178091 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.158186913 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.158286095 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.158294916 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.158303976 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.158443928 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.158456087 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.158467054 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.158569098 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.158580065 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.158596992 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.159986973 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.160085917 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.160095930 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.160195112 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.160204887 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.160214901 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.160259008 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.160268068 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.160278082 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.550710917 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.594429016 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:36.596513987 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:36.598624945 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:36.600022078 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:36.714379072 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.714482069 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.714493036 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.714503050 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.714571953 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.714587927 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.714600086 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.714654922 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.714768887 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.714778900 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.714869976 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.714880943 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.714970112 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.715023994 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.716358900 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.716432095 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.716470003 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.716578960 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.716589928 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.716603041 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.716736078 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.716746092 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.716785908 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.716831923 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.716974974 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.716985941 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.717082977 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.717092991 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.718621016 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.718713045 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.718723059 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.718732119 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.718777895 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.718789101 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.718887091 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.718897104 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.718905926 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.718950033 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.719022036 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.719033003 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.719046116 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.719063044 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.719743013 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.719849110 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.719976902 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.720037937 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.720058918 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.720078945 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.720091105 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.720236063 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:36.720247984 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.111479998 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.159842014 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:37.161990881 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:37.164088011 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:37.165432930 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:37.279880047 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.279896021 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.279906988 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.279917955 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.279979944 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.280014992 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.280061007 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.280141115 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.280266047 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.280276060 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.280431986 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.280441999 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.280566931 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.280618906 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.282058001 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.282089949 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.282223940 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.282299042 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.282401085 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.282468081 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.282599926 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.282663107 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.282763958 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.282773972 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.282902956 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.282958984 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.283083916 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.283093929 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.283869028 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.283996105 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.284197092 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.284207106 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.284308910 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.284365892 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.284451008 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.284503937 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.284542084 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.284553051 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.284620047 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.284631014 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.284677982 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.284696102 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.285264015 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.285274029 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.285337925 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.285427094 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.285443068 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.285455942 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.285492897 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.285501957 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.285526037 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.674616098 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.718154907 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:37.720344067 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:37.722543955 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:37.725079060 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:37.838116884 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.838222980 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.838560104 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.838653088 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.838670015 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.838860035 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.838871002 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.839001894 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.839010954 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.839112997 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.839345932 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.839463949 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.839479923 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.839492083 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.840236902 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.840245962 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.840261936 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.840290070 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.840358973 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.840369940 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.840496063 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.840506077 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.840588093 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.840596914 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.840675116 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.840687037 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.840770960 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.840780973 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.842294931 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.842350006 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.842408895 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.842417955 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.842490911 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.842508078 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.842618942 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.842643976 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.842694998 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.842747927 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.842801094 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.842814922 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.842894077 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.842902899 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.845009089 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.845102072 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.845112085 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.845124006 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.845195055 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.845206022 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.845248938 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.845331907 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:37.845341921 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.233531952 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.282937050 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:38.285273075 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:38.288935900 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:38.288970947 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:38.403039932 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.403085947 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.403155088 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.403165102 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.403295040 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.403363943 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.403512955 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.403532982 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.403649092 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.403659105 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.403707027 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.403757095 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.403858900 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.403868914 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.405169010 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.405234098 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.405383110 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.405437946 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.405567884 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.405577898 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.405627012 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.405637980 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.405688047 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.405703068 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.405749083 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.405760050 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.405821085 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.405858994 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.408674955 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.408694983 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.408704996 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.408813953 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.408823967 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.408900023 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.408911943 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.409054995 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.409066916 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.409151077 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.409209967 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.409398079 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.409415960 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.409426928 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.409502029 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.409519911 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.409591913 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.409713984 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.409724951 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.409780025 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.409858942 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.409868956 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.409878969 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.815318108 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:38.892827034 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:38.897027969 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:38.901571035 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:38.905015945 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:39.012691021 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.012763023 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.012830973 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.012840986 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.012857914 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.012943983 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.012969971 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.013042927 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.013052940 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.013108969 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.013125896 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.013210058 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.013221025 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.013231039 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.017385006 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.017411947 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.017529964 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.017604113 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.017693043 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.017719030 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.017812014 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.017872095 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.017889023 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.017913103 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.018052101 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.018060923 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.018237114 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.018246889 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.021414995 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.021425962 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.021508932 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.021519899 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.021694899 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.021768093 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.021913052 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.021925926 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.022038937 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.022080898 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.022152901 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.022172928 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.022238016 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.022248030 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.024710894 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.024776936 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.024802923 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.024908066 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.024925947 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.024971962 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.024981976 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.025103092 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.025114059 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.025162935 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.025181055 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.025211096 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.415422916 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.452725887 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:39.454916000 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:39.457118034 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:39.458578110 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:39.572571993 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.572598934 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.572674036 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.572700024 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.572843075 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.572853088 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.572864056 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.572911024 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.572969913 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.572994947 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.573086023 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.573101997 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.573168039 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.573189020 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.574675083 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.574726105 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.574799061 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.574892044 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.574953079 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.575053930 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.575092077 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.575102091 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.577007055 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.577089071 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.577162981 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.577264071 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.577362061 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.577445984 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.577667952 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.578386068 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.578497887 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.578600883 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.578742027 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.578826904 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:39.984509945 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.033916950 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:40.036319971 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:40.038959980 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:40.040797949 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:40.153857946 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.153871059 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.153883934 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.153954029 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.154038906 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.154048920 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.154117107 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.154129028 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.154359102 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.154367924 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.154439926 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.154469013 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.154587984 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.154632092 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.156146049 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.156167984 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.156297922 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.156349897 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.156383038 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.156480074 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.156544924 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.156562090 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.158776999 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.158843040 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.158921957 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.158998013 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.159032106 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.159137011 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.159149885 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.160932064 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.160943031 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.160953999 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.161020994 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.161037922 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.545080900 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.609534025 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:40.611792088 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:40.613763094 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:40.620440006 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:40.729507923 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.729521036 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.729532957 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.729617119 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.729625940 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.729641914 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.729691982 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.729701042 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.729784966 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.729801893 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.729882002 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.729891062 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.729909897 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.729962111 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.731647968 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.731657982 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.731913090 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.733763933 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.733922005 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.734040976 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.734052896 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.734138966 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.734230995 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.734241009 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.740262032 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.740360022 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.740448952 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.740488052 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:40.740498066 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.122632980 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.176099062 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:41.178559065 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:41.180787086 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:41.182493925 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:41.296284914 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.296299934 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.296319962 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.296329975 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.296432018 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.296442032 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.296495914 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.296557903 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.296569109 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.296658993 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.296695948 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.296782970 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.297240019 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.297250986 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.298506975 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.298520088 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.298533916 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.298600912 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.298612118 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.299133062 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.299144030 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.299154043 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.300537109 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.300606966 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.301028967 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.301040888 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.301050901 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.301060915 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.301073074 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.302464008 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.302476883 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.302495956 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.302505970 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.302520037 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.390419960 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.436851025 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:41.600009918 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.792076111 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.795298100 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:41.859353065 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:41.861402035 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:41.863668919 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:41.865103006 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:41.979453087 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.979469061 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.979476929 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.979486942 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.979506969 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.979516029 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.979542971 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.979588032 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.979687929 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.979743958 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.979785919 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.979795933 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.979882956 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.979892015 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.981395006 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.981404066 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.981451988 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.981524944 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.981643915 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.981693983 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.981930017 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.981939077 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.983808994 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.983829975 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.983973980 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.984026909 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.984163046 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.984172106 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.984854937 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.984989882 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.985037088 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:41.985091925 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.029906034 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.046240091 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:42.171531916 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.233752966 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:42.405967951 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.453862906 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:42.456183910 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:42.458409071 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:42.459935904 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:42.574060917 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.574177027 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.574356079 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.574418068 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.574517012 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.574584961 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.574664116 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.574702978 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.574793100 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.574826956 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.574913025 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.574966908 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.575099945 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.575167894 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.576524973 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.576579094 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.576628923 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.576704025 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.576760054 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.576843977 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.576889992 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.576936007 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.578603983 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.578798056 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.578957081 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.579087973 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.579174995 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.579262018 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.579289913 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.579807997 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.579920053 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.580043077 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.580158949 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.580204964 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:42.986840963 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.053306103 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:43.055375099 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:43.057507992 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:43.058958054 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:43.173245907 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.173269033 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.173316956 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.173381090 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.173444033 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.173454046 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.173532009 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.173589945 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.173598051 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.173618078 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.173716068 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.173724890 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.173831940 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.173867941 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.175257921 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.175333023 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.175508022 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.175607920 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.175743103 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.175987005 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.176171064 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.176199913 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.177567959 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.177648067 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.177656889 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.178890944 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.178998947 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.179008007 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.179124117 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.179188013 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.502531052 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.640137911 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:43.694386959 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.753299952 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:43.753370047 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:43.756716013 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:43.756768942 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:43.873137951 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873162031 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873265982 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873275995 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873295069 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873303890 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873344898 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873404026 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873478889 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873488903 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873547077 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873636007 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873651981 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873699903 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873709917 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873752117 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873892069 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873900890 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.873950958 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.874064922 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.874073029 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.874151945 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.876547098 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.876599073 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.876723051 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.876755953 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.876794100 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.876859903 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.876974106 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.876982927 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.877084017 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.877218008 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.877238035 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.877247095 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:43.886219025 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.030636072 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:44.065460920 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.140008926 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:44.302047968 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.343144894 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:44.393551111 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:44.396734953 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:44.398010969 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:44.403177977 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:44.513489008 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.513614893 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.513787985 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.513923883 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.514060974 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.514239073 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.516627073 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.516766071 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.516876936 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.516999006 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.517086983 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.517201900 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.517322063 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.517791986 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.517874002 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.517961025 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.518053055 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.518132925 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.518181086 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.518245935 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.522936106 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.522994041 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.523057938 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.523166895 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.523222923 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.523284912 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.926255941 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:44.971128941 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:44.973289967 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:44.975416899 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:44.977081060 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:45.098258972 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.489631891 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.530721903 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:45.546132088 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:45.548268080 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:45.550357103 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:45.551750898 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:45.727135897 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727152109 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727161884 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727169991 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727185011 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727193117 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727202892 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727210999 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727219105 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727226973 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727241039 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727250099 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727257967 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727266073 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727274895 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727283955 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727292061 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727299929 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727308035 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727319956 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:45.727333069 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.079763889 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.168171883 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:46.170999050 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:46.174621105 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:46.176281929 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:46.288189888 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.288224936 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.288273096 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.288283110 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.288383961 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.288449049 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.290771961 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.290864944 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.290946960 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.291106939 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.291136980 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.294768095 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.294838905 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.294893026 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.294961929 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.295012951 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.295095921 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.295141935 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.296108007 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.296210051 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.296276093 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.296391964 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.296449900 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.436297894 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.438015938 CET497309005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:46.561393976 CET900549730154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.681449890 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.733916998 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:46.736007929 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:46.738075972 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:46.739459991 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:46.854243994 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.854396105 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.854407072 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.854417086 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.854516983 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.854655981 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.854665995 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.856183052 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.856304884 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.856340885 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.856745958 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.856863976 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.856944084 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.857054949 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.858289003 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.858330965 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.858464003 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.859106064 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.859203100 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.859322071 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.859503984 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.859788895 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:46.902170897 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.266222000 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.317635059 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:47.320581913 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:47.323357105 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:47.325108051 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:47.437519073 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.437530041 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.437552929 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.437592983 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.437669992 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.437740088 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.437748909 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.437767029 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.437879086 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.437889099 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.437947989 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.437964916 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.438039064 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.438091040 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.440299034 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.440308094 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.440408945 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.440558910 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.440634012 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.440680981 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.440702915 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.440789938 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.443038940 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.443156958 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.443223953 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.443310022 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.443399906 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.443474054 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.443568945 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.444900036 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.445024967 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.445100069 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.445116997 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.827331066 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:47.891792059 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:47.894017935 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:47.896256924 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:47.897814035 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:48.011790991 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.011807919 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.011816978 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.011836052 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.011843920 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.011853933 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.011919975 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.011943102 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.012068033 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.012137890 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.012236118 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.012283087 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.012444973 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.012490034 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.013822079 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.013864994 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.014072895 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.014195919 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.014374018 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.014508963 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.014558077 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.014632940 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.016237020 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.016315937 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.016367912 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.016455889 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.016591072 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.016693115 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.016731977 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.017628908 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.017724037 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.017774105 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.018004894 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.018014908 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.401659012 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.440642118 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:48.443206072 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:48.445959091 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:48.447700977 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:48.560566902 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.560580015 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.560591936 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.560606003 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.560682058 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.560693026 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.560787916 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.560801983 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.560882092 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.560889959 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.560952902 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.560961008 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.561008930 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.561028004 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.563128948 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.563149929 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.563357115 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.563443899 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.563536882 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.563606024 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.563631058 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.565713882 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.565798044 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.565836906 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.565958977 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.566081047 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.566090107 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.566118956 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.567536116 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.567600965 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.567645073 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.567749977 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.567764044 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:48.973056078 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.015779018 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:49.017736912 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:49.019829035 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:49.021208048 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:49.135720015 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.135735035 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.135781050 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.135804892 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.135910034 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.135929108 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.136027098 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.136048079 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.136153936 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.136174917 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.136276960 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.136296034 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.136352062 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.136360884 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.137545109 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.137567043 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.137648106 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.137826920 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.137854099 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.137999058 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.138010025 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.138017893 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.139734030 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.139797926 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.139880896 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.139975071 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.140119076 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.140233040 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.140253067 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.141005993 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.141108036 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.141293049 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.141419888 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.547970057 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.610660076 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:49.612732887 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:49.614864111 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:49.616250992 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:49.730521917 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.730566978 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.730606079 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.730614901 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.730727911 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.730736971 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.730823994 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.730834007 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.731009960 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.731055021 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.731178045 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.731197119 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.731267929 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.731328011 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.732554913 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.732604027 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.732681990 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.732763052 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.733191967 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.734713078 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.734860897 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.734999895 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.735090017 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.735223055 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.735378981 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.735491991 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.736211061 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.736293077 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.736365080 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.736438036 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:49.736457109 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.143500090 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.191744089 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:50.193887949 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:50.196151018 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:50.198272943 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:50.311517954 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.311645985 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.311713934 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.311834097 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.311842918 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.311920881 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.311979055 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.312072039 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.312136889 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.312254906 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.312273979 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.312398911 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.312439919 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.312549114 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.313663960 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.313745975 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.313853025 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.314004898 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.314109087 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.314286947 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.314414024 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.314516068 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.315973043 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.316108942 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.316346884 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.316452026 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.316554070 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.316679001 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.316803932 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.318191051 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.318386078 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.318494081 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.318591118 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.318686008 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.318800926 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.318837881 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.711508989 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.749996901 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:50.752000093 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:50.754060030 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:50.755405903 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:50.869874954 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.869898081 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.870089054 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.870110035 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.870357990 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.870368004 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.870378971 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.870388031 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.870481014 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.870517015 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.870604038 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.870646000 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.870762110 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.870773077 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.871985912 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.872013092 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.872160912 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.872242928 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.872358084 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.872466087 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.872597933 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.872629881 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.874352932 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.874469042 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.875458002 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.875545025 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.875607967 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.875673056 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:50.875757933 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.259160995 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.309477091 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:51.312279940 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:51.314764023 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:51.316627979 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:51.429760933 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.429846048 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.429990053 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.430008888 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.430216074 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.430308104 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.430423975 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.430557013 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.430567980 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.430579901 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.430800915 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.430813074 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.430901051 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.430932999 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.432394981 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.432457924 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.432593107 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.432651997 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.432735920 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.432848930 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.432946920 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.433152914 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.434927940 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.435089111 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.435185909 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.435195923 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.436574936 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.436642885 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.436781883 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.436885118 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.436896086 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.841897011 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:51.891614914 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:51.893784046 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:51.895956039 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:51.897391081 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:52.011674881 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.011782885 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.011792898 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.011858940 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.011868954 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.011882067 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.012006044 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.012016058 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.012075901 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.012104988 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.012178898 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.012221098 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.012404919 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.012422085 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.013633966 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.013653994 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.013768911 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.013856888 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.014069080 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.014225960 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.014375925 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.014384031 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.015856028 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.015939951 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.015968084 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.016119957 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.016171932 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.016282082 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.016314983 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.017265081 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.017303944 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.017390013 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.017627001 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.017673016 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.423842907 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.480309963 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:52.483577967 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:52.487286091 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:52.487615108 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:52.600240946 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.600258112 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.600269079 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.600483894 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.600495100 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.600616932 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.600625992 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.600658894 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.600723028 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.600809097 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.600817919 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.600897074 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.600905895 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.600965023 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.603411913 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.603456974 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.603610039 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.603619099 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.603746891 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.603815079 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.603848934 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.603903055 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.607228994 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.607429981 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.607448101 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.607492924 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.607595921 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.607729912 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.607801914 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.607880116 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.607945919 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.608042955 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.608093023 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.608155012 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:52.991489887 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.142766953 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:53.155550957 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:53.157849073 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:53.160270929 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:53.162480116 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:53.275482893 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.275512934 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.275602102 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.275639057 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.275696039 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.275706053 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.275770903 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.275779963 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.275834084 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.275842905 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.275892973 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.275935888 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.276065111 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.276120901 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.277513027 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.277565956 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.277654886 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.277759075 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.277862072 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.277898073 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.277967930 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.277992964 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.280208111 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.280359030 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.280518055 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.280571938 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.282228947 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.282313108 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.282361031 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.282457113 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.282491922 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.666610956 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.706398964 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:53.709547043 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:53.716784000 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:53.719616890 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:53.826350927 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.826366901 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.826381922 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.826400042 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.826484919 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.826493979 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.826525927 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.826571941 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.826605082 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.826646090 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.826680899 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.826725960 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.826761007 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.826807976 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.829407930 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.829417944 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.829468012 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.829567909 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.829607964 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.829721928 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.829781055 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.829813957 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.836707115 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.836810112 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.836884975 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.836894035 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.837013006 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.837023020 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.839445114 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.839521885 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.839585066 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.839693069 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.839729071 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:53.839802027 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.241015911 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.312100887 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:54.314210892 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:54.316283941 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:54.317890882 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:54.432023048 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.432087898 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.432180882 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.432192087 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.432243109 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.432292938 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.432360888 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.432383060 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.432490110 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.432504892 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.432586908 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.432641983 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.432763100 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.432773113 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.434791088 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.434813023 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.435025930 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.435197115 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.435266018 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.435339928 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.435348988 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.436667919 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.436791897 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.436901093 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.437007904 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.437169075 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.437244892 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.437393904 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.438366890 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.438478947 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.438488960 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.438690901 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.438702106 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.438710928 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.847043037 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:54.889501095 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:54.891807079 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:54.893980026 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:54.895344973 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:55.009278059 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.009403944 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.009421110 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.009447098 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.009552002 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.009577036 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.009685993 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.009711981 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.009824991 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.009834051 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.009903908 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.009922981 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.010030031 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.010052919 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.011518002 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.011550903 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.011648893 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.011749029 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.011821032 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.011897087 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.011991978 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.012059927 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.013762951 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.013962030 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.014038086 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.014134884 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.014144897 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.015326023 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.015470028 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.015582085 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.015716076 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.015834093 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.401209116 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.530824900 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:55.537311077 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:55.539632082 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:55.545267105 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:55.553735018 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:55.658921003 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.658986092 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.659030914 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.659060001 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.659107924 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.659152985 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.660790920 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.660820007 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.660919905 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.660948038 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.660999060 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.661027908 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.661061049 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.661940098 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.661973000 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.662108898 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.662141085 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.662241936 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.662518978 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.662702084 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.662734985 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.662894964 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.665446997 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.665575027 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.665802956 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.665832043 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.665865898 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.665939093 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.666202068 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.673620939 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.673652887 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.673772097 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.673872948 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:55.673886061 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.071822882 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.133480072 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:56.136564016 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:56.139651060 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:56.141725063 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:56.253369093 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.253388882 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.253439903 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.253454924 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.253494024 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.253511906 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.253616095 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.253631115 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.253647089 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.253683090 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.253784895 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.253798008 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.253937006 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.253953934 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.256474972 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.256547928 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.257028103 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.259555101 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.259601116 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.259646893 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.259677887 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.259778023 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.259887934 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.259931087 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.261522055 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.261612892 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.261643887 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.261920929 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.643265009 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.689140081 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:56.691153049 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:56.693325996 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:56.695332050 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:56.809040070 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.809056044 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.809081078 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.809202909 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.809211969 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.809221029 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.809282064 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.809290886 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.809320927 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.809412003 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.809422016 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.809432030 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.809456110 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.809500933 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.810988903 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.811012030 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.811100006 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.811155081 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.811230898 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.811297894 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.811379910 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.811403990 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.813121080 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.813147068 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.813229084 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.813309908 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.813373089 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.813486099 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.813496113 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.815134048 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.815226078 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.815304995 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.815382004 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.815490961 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.815502882 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:56.815561056 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.224241972 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.267957926 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:57.270420074 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:57.272720098 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:57.274257898 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:57.387926102 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.387942076 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.388004065 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.388056993 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.388067961 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.388092995 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.388159990 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.388299942 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.388309956 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.388329983 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.388362885 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.388443947 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.388484955 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.388531923 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.390286922 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.390299082 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.390392065 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.390430927 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.390512943 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.390578985 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.390692949 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.390789032 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.392522097 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.392657042 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.392963886 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.394049883 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.394124031 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.394212961 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.394294024 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.394310951 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.777498960 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.846100092 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:57.848613977 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:57.852653027 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:57.854526043 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:57.966335058 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.966382027 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.966439009 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.966466904 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.966479063 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.966506004 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.966556072 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.966583967 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.966610909 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.966639042 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.966691971 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.966718912 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.966767073 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.966794014 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.968513012 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.968544006 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.968643904 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.968774080 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.968868017 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.968914032 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.969000101 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.969036102 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.972476959 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.972507954 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.972552061 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.972660065 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.972717047 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.972810030 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.972887039 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.974278927 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.974374056 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.974447012 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.974524975 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:57.974535942 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.354748964 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.391983032 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:58.393980980 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:58.395998955 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:58.397329092 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:58.513228893 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.513288975 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.513343096 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.513370991 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.513577938 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.513627052 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.513654947 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.513798952 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.513848066 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.513931990 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.514121056 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.514281034 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.514307976 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.514337063 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.515098095 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.515126944 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.515364885 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.515702009 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.515855074 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.515894890 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.515923023 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.516062975 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.516094923 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.516122103 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.516311884 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.516365051 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.517376900 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.518559933 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.518842936 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.519258976 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.519690037 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.924421072 CET900549925154.216.20.244192.168.2.4
                                                                                                  Dec 6, 2024 10:09:58.969322920 CET499259005192.168.2.4154.216.20.244
                                                                                                  Dec 6, 2024 10:09:58.971573114 CET499259005192.168.2.4154.216.20.244

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Dec 6, 2024 10:07:11.557313919 CET192.168.2.41.1.1.10xd98eStandard query (0)jawa123.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                  Dec 6, 2024 10:07:14.496054888 CET192.168.2.41.1.1.10xdcd2Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Dec 6, 2024 10:07:11.888995886 CET1.1.1.1192.168.2.40xd98eNo error (0)jawa123.duckdns.org154.216.20.244A (IP address)IN (0x0001)false
                                                                                                  Dec 6, 2024 10:07:14.636883020 CET1.1.1.1192.168.2.40xdcd2No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.449731178.237.33.50806568C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Dec 6, 2024 10:07:14.763222933 CET71OUTGET /json.gp HTTP/1.1
                                                                                                  Host: geoplugin.net
                                                                                                  Cache-Control: no-cache
                                                                                                  Dec 6, 2024 10:07:16.004169941 CET1171INHTTP/1.1 200 OK
                                                                                                  date: Fri, 06 Dec 2024 09:07:15 GMT
                                                                                                  server: Apache
                                                                                                  content-length: 963
                                                                                                  content-type: application/json; charset=utf-8
                                                                                                  cache-control: public, max-age=300
                                                                                                  access-control-allow-origin: *
                                                                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                                  Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:04:07:10
                                                                                                  Start date:06/12/2024
                                                                                                  Path:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:480'768 bytes
                                                                                                  MD5 hash:7F2EBE83B860A8DE1F3CE798C79B5935
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2607794386.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1672275967.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1672275967.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2628733515.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2649104544.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2624214746.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2623293763.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2640984538.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2648225521.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2628935219.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2608000108.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2599183809.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2608743855.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2638471571.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2649310406.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2627681034.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2618745887.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2598728170.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2597901864.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2641409681.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2648048280.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2627912130.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2639412053.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2617369250.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2597663716.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:low
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:5
                                                                                                  Start time:04:08:57
                                                                                                  Start date:06/12/2024
                                                                                                  Path:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\qvsnmq"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:480'768 bytes
                                                                                                  MD5 hash:7F2EBE83B860A8DE1F3CE798C79B5935
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000000.2747605791.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000000.2747605791.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:04:08:57
                                                                                                  Start date:06/12/2024
                                                                                                  Path:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\wfgmexfquvwjormwxnmvqsfnckapqyps"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:480'768 bytes
                                                                                                  MD5 hash:7F2EBE83B860A8DE1F3CE798C79B5935
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000000.2748254754.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000000.2748254754.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:7
                                                                                                  Start time:04:08:57
                                                                                                  Start date:06/12/2024
                                                                                                  Path:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\xjrvqnzhyavnhpgfptkxoggco"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:480'768 bytes
                                                                                                  MD5 hash:7F2EBE83B860A8DE1F3CE798C79B5935
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000000.2748773376.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000000.2748773376.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:8
                                                                                                  Start time:04:09:08
                                                                                                  Start date:06/12/2024
                                                                                                  Path:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\atkwdxhfhaecrerwdsjtdarotoqimtmgdh"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:480'768 bytes
                                                                                                  MD5 hash:7F2EBE83B860A8DE1F3CE798C79B5935
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000000.2859579477.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000000.2859579477.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:9
                                                                                                  Start time:04:09:08
                                                                                                  Start date:06/12/2024
                                                                                                  Path:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\azrbouitfbtqknwrahjxueeuvbutbfjrmv"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:480'768 bytes
                                                                                                  MD5 hash:7F2EBE83B860A8DE1F3CE798C79B5935
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000000.2860142643.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000000.2860142643.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:10
                                                                                                  Start time:04:09:09
                                                                                                  Start date:06/12/2024
                                                                                                  Path:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Users\user\Desktop\17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\xmdugchyslpaasitdca"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:480'768 bytes
                                                                                                  MD5 hash:7F2EBE83B860A8DE1F3CE798C79B5935
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000000.2861290351.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000000.2861290351.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:6.2%
                                                                                                    Dynamic/Decrypted Code Coverage:9.2%
                                                                                                    Signature Coverage:5%
                                                                                                    Total number of Nodes:2000
                                                                                                    Total number of Limit Nodes:69
                                                                                                    execution_graph 37499 44dea5 37500 44deb5 FreeLibrary 37499->37500 37501 44dec3 37499->37501 37500->37501 37502 4287c1 37503 4287d2 37502->37503 37504 429ac1 37502->37504 37506 428818 37503->37506 37507 42881f 37503->37507 37522 425711 37503->37522 37516 425ad6 37504->37516 37572 415c56 11 API calls 37504->37572 37539 42013a 37506->37539 37567 420244 97 API calls 37507->37567 37510 4260dd 37566 424251 120 API calls 37510->37566 37514 4259da 37565 416760 11 API calls 37514->37565 37519 429a4d 37520 429a66 37519->37520 37521 429a9b 37519->37521 37568 415c56 11 API calls 37520->37568 37534 429a96 37521->37534 37570 416760 11 API calls 37521->37570 37522->37504 37522->37514 37522->37519 37523 422aeb memset memcpy memcpy 37522->37523 37526 4260a1 37522->37526 37535 4259c2 37522->37535 37538 425a38 37522->37538 37555 4227f0 memset memcpy 37522->37555 37556 422b84 15 API calls 37522->37556 37557 422b5d memset memcpy memcpy 37522->37557 37558 422640 13 API calls 37522->37558 37560 4241fc 11 API calls 37522->37560 37561 42413a 90 API calls 37522->37561 37523->37522 37564 415c56 11 API calls 37526->37564 37529 429a7a 37569 416760 11 API calls 37529->37569 37571 424251 120 API calls 37534->37571 37535->37516 37559 415c56 11 API calls 37535->37559 37538->37535 37562 422640 13 API calls 37538->37562 37563 4226e0 12 API calls 37538->37563 37540 42014c 37539->37540 37543 420151 37539->37543 37582 41e466 97 API calls 37540->37582 37542 420162 37542->37522 37543->37542 37544 4201b3 37543->37544 37545 420229 37543->37545 37546 4201b8 37544->37546 37547 4201dc 37544->37547 37545->37542 37548 41fd5e 86 API calls 37545->37548 37573 41fbdb 37546->37573 37547->37542 37551 4201ff 37547->37551 37579 41fc4c 37547->37579 37548->37542 37551->37542 37554 42013a 97 API calls 37551->37554 37554->37542 37555->37522 37556->37522 37557->37522 37558->37522 37559->37514 37560->37522 37561->37522 37562->37538 37563->37538 37564->37514 37565->37510 37566->37516 37567->37522 37568->37529 37569->37534 37570->37534 37571->37504 37572->37514 37574 41fbf1 37573->37574 37575 41fbf8 37573->37575 37578 41fc39 37574->37578 37597 4446ce 11 API calls 37574->37597 37587 41ee26 37575->37587 37578->37542 37583 41fd5e 37578->37583 37580 41ee6b 86 API calls 37579->37580 37581 41fc5d 37580->37581 37581->37547 37582->37543 37585 41fd65 37583->37585 37584 41fdab 37584->37542 37585->37584 37586 41fbdb 86 API calls 37585->37586 37586->37585 37588 41ee41 37587->37588 37589 41ee32 37587->37589 37598 41edad 37588->37598 37601 4446ce 11 API calls 37589->37601 37592 41ee3c 37592->37574 37595 41ee58 37595->37592 37603 41ee6b 37595->37603 37597->37578 37607 41be52 37598->37607 37601->37592 37602 41eb85 11 API calls 37602->37595 37604 41ee70 37603->37604 37605 41ee78 37603->37605 37660 41bf99 86 API calls 37604->37660 37605->37592 37608 41be6f 37607->37608 37609 41be5f 37607->37609 37612 41be8c 37608->37612 37639 418c63 memset memset 37608->37639 37638 4446ce 11 API calls 37609->37638 37614 41be69 37612->37614 37615 41bf3a 37612->37615 37616 41bed1 37612->37616 37624 41bee7 37612->37624 37614->37592 37614->37602 37642 4446ce 11 API calls 37615->37642 37618 41bef0 37616->37618 37620 41bee2 37616->37620 37619 41bf01 37618->37619 37618->37624 37621 41bf24 memset 37619->37621 37623 41bf14 37619->37623 37640 418a6d memset memcpy memset 37619->37640 37628 41ac13 37620->37628 37621->37614 37641 41a223 memset memcpy memset 37623->37641 37624->37614 37643 41a453 86 API calls 37624->37643 37627 41bf20 37627->37621 37629 41ac52 37628->37629 37630 41ac3f memset 37628->37630 37632 41ac6a 37629->37632 37644 41dc14 19 API calls 37629->37644 37637 41acd9 37630->37637 37634 41aca1 37632->37634 37645 41519d 37632->37645 37635 41acc0 memset 37634->37635 37636 41accd memcpy 37634->37636 37634->37637 37635->37637 37636->37637 37637->37624 37638->37614 37639->37612 37640->37623 37641->37627 37642->37624 37644->37632 37648 4175ed 37645->37648 37656 417570 SetFilePointer 37648->37656 37651 41760a ReadFile 37652 417637 37651->37652 37653 417627 GetLastError 37651->37653 37654 4151b3 37652->37654 37655 41763e memset 37652->37655 37653->37654 37654->37634 37655->37654 37657 41759c GetLastError 37656->37657 37659 4175b2 37656->37659 37658 4175a8 GetLastError 37657->37658 37657->37659 37658->37659 37659->37651 37659->37654 37660->37605 37661 417bc5 37662 417c61 37661->37662 37667 417bda 37661->37667 37663 417bf6 UnmapViewOfFile CloseHandle 37663->37663 37663->37667 37665 417c2c 37665->37667 37673 41851e 20 API calls 37665->37673 37667->37662 37667->37663 37667->37665 37668 4175b7 37667->37668 37669 4175d6 CloseHandle 37668->37669 37670 4175c8 37669->37670 37671 4175df 37669->37671 37670->37671 37672 4175ce Sleep 37670->37672 37671->37667 37672->37669 37673->37665 37674 4152c7 malloc 37675 4152ef 37674->37675 37677 4152e2 37674->37677 37678 416760 11 API calls 37675->37678 37678->37677 37679 415308 free 37680 41276d 37681 41277d 37680->37681 37723 4044a4 LoadLibraryW 37681->37723 37683 412785 37715 412789 37683->37715 37731 414b81 37683->37731 37686 4127c8 37737 412465 memset ??2@YAPAXI 37686->37737 37688 4127ea 37749 40ac21 37688->37749 37693 412813 37767 40dd07 memset 37693->37767 37694 412827 37772 40db69 memset 37694->37772 37697 412822 37793 4125b6 ??3@YAXPAX 37697->37793 37699 40ada2 _wcsicmp 37700 41283d 37699->37700 37700->37697 37703 412863 CoInitialize 37700->37703 37777 41268e 37700->37777 37797 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37703->37797 37707 41296f 37799 40b633 37707->37799 37709 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37714 412957 CoUninitialize 37709->37714 37720 4128ca 37709->37720 37714->37697 37716 4128d0 TranslateAcceleratorW 37717 412941 GetMessageW 37716->37717 37716->37720 37717->37714 37717->37716 37718 412909 IsDialogMessageW 37718->37717 37718->37720 37719 4128fd IsDialogMessageW 37719->37717 37719->37718 37720->37716 37720->37718 37720->37719 37721 41292b TranslateMessage DispatchMessageW 37720->37721 37722 41291f IsDialogMessageW 37720->37722 37721->37717 37722->37717 37722->37721 37724 4044cf GetProcAddress 37723->37724 37728 4044f7 37723->37728 37725 4044e8 FreeLibrary 37724->37725 37726 4044df 37724->37726 37727 4044f3 37725->37727 37725->37728 37726->37725 37727->37728 37729 404507 MessageBoxW 37728->37729 37730 40451e 37728->37730 37729->37683 37730->37683 37732 414b8a 37731->37732 37733 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37731->37733 37803 40a804 memset 37732->37803 37733->37686 37736 414b9e GetProcAddress 37736->37733 37738 4124e0 37737->37738 37739 412505 ??2@YAPAXI 37738->37739 37740 41251c 37739->37740 37742 412521 37739->37742 37825 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37740->37825 37814 444722 37742->37814 37748 41259b wcscpy 37748->37688 37830 40b1ab free free 37749->37830 37751 40ad76 37831 40aa04 37751->37831 37754 40a9ce malloc memcpy free free 37757 40ac5c 37754->37757 37755 40ad4b 37755->37751 37854 40a9ce 37755->37854 37757->37751 37757->37754 37757->37755 37758 40ace7 free 37757->37758 37834 40a8d0 37757->37834 37846 4099f4 37757->37846 37758->37757 37762 40a8d0 7 API calls 37762->37751 37763 40ada2 37764 40adc9 37763->37764 37765 40adaa 37763->37765 37764->37693 37764->37694 37765->37764 37766 40adb3 _wcsicmp 37765->37766 37766->37764 37766->37765 37859 40dce0 37767->37859 37769 40dd3a GetModuleHandleW 37864 40dba7 37769->37864 37773 40dce0 3 API calls 37772->37773 37774 40db99 37773->37774 37936 40dae1 37774->37936 37950 402f3a 37777->37950 37779 412766 37779->37697 37779->37703 37780 4126d3 _wcsicmp 37781 4126a8 37780->37781 37781->37779 37781->37780 37783 41270a 37781->37783 37984 4125f8 7 API calls 37781->37984 37783->37779 37953 411ac5 37783->37953 37794 4125da 37793->37794 37795 4125f0 37794->37795 37796 4125e6 DeleteObject 37794->37796 37798 40b1ab free free 37795->37798 37796->37795 37797->37709 37798->37707 37800 40b640 37799->37800 37801 40b639 free 37799->37801 37802 40b1ab free free 37800->37802 37801->37800 37802->37715 37804 40a83b GetSystemDirectoryW 37803->37804 37805 40a84c wcscpy 37803->37805 37804->37805 37810 409719 wcslen 37805->37810 37808 40a881 LoadLibraryW 37809 40a886 37808->37809 37809->37733 37809->37736 37811 409724 37810->37811 37812 409739 wcscat LoadLibraryW 37810->37812 37811->37812 37813 40972c wcscat 37811->37813 37812->37808 37812->37809 37813->37812 37815 444732 37814->37815 37816 444728 DeleteObject 37814->37816 37826 409cc3 37815->37826 37816->37815 37818 412551 37819 4010f9 37818->37819 37820 401130 37819->37820 37821 401134 GetModuleHandleW LoadIconW 37820->37821 37822 401107 wcsncat 37820->37822 37823 40a7be 37821->37823 37822->37820 37824 40a7d2 37823->37824 37824->37748 37824->37824 37825->37742 37829 409bfd memset wcscpy 37826->37829 37828 409cdb CreateFontIndirectW 37828->37818 37829->37828 37830->37757 37832 40aa14 37831->37832 37833 40aa0a free 37831->37833 37832->37763 37833->37832 37835 40a8eb 37834->37835 37836 40a8df wcslen 37834->37836 37837 40a906 free 37835->37837 37838 40a90f 37835->37838 37836->37835 37839 40a919 37837->37839 37840 4099f4 3 API calls 37838->37840 37841 40a932 37839->37841 37842 40a929 free 37839->37842 37840->37839 37844 4099f4 3 API calls 37841->37844 37843 40a93e memcpy 37842->37843 37843->37757 37845 40a93d 37844->37845 37845->37843 37847 409a41 37846->37847 37848 4099fb malloc 37846->37848 37847->37757 37850 409a37 37848->37850 37851 409a1c 37848->37851 37850->37757 37852 409a30 free 37851->37852 37853 409a20 memcpy 37851->37853 37852->37850 37853->37852 37855 40a9e7 37854->37855 37856 40a9dc free 37854->37856 37858 4099f4 3 API calls 37855->37858 37857 40a9f2 37856->37857 37857->37762 37858->37857 37883 409bca GetModuleFileNameW 37859->37883 37861 40dce6 wcsrchr 37862 40dcf5 37861->37862 37863 40dcf9 wcscat 37861->37863 37862->37863 37863->37769 37884 44db70 37864->37884 37868 40dbfd 37887 4447d9 37868->37887 37871 40dc34 wcscpy wcscpy 37913 40d6f5 37871->37913 37872 40dc1f wcscpy 37872->37871 37875 40d6f5 3 API calls 37876 40dc73 37875->37876 37877 40d6f5 3 API calls 37876->37877 37878 40dc89 37877->37878 37879 40d6f5 3 API calls 37878->37879 37880 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37879->37880 37919 40da80 37880->37919 37883->37861 37885 40dbb4 memset memset 37884->37885 37886 409bca GetModuleFileNameW 37885->37886 37886->37868 37889 4447f4 37887->37889 37888 40dc1b 37888->37871 37888->37872 37889->37888 37890 444807 ??2@YAPAXI 37889->37890 37891 44481f 37890->37891 37892 444873 _snwprintf 37891->37892 37893 4448ab wcscpy 37891->37893 37926 44474a 8 API calls 37892->37926 37895 4448bb 37893->37895 37927 44474a 8 API calls 37895->37927 37896 4448a7 37896->37893 37896->37895 37898 4448cd 37928 44474a 8 API calls 37898->37928 37900 4448e2 37929 44474a 8 API calls 37900->37929 37902 4448f7 37930 44474a 8 API calls 37902->37930 37904 44490c 37931 44474a 8 API calls 37904->37931 37906 444921 37932 44474a 8 API calls 37906->37932 37908 444936 37933 44474a 8 API calls 37908->37933 37910 44494b 37934 44474a 8 API calls 37910->37934 37912 444960 ??3@YAXPAX 37912->37888 37914 44db70 37913->37914 37915 40d702 memset GetPrivateProfileStringW 37914->37915 37916 40d752 37915->37916 37917 40d75c WritePrivateProfileStringW 37915->37917 37916->37917 37918 40d758 37916->37918 37917->37918 37918->37875 37920 44db70 37919->37920 37921 40da8d memset 37920->37921 37922 40daac LoadStringW 37921->37922 37923 40dac6 37922->37923 37923->37922 37925 40dade 37923->37925 37935 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37923->37935 37925->37697 37926->37896 37927->37898 37928->37900 37929->37902 37930->37904 37931->37906 37932->37908 37933->37910 37934->37912 37935->37923 37946 409b98 GetFileAttributesW 37936->37946 37938 40daea 37939 40db63 37938->37939 37940 40daef wcscpy wcscpy GetPrivateProfileIntW 37938->37940 37939->37699 37947 40d65d GetPrivateProfileStringW 37940->37947 37942 40db3e 37948 40d65d GetPrivateProfileStringW 37942->37948 37944 40db4f 37949 40d65d GetPrivateProfileStringW 37944->37949 37946->37938 37947->37942 37948->37944 37949->37939 37985 40eaff 37950->37985 37954 411ae2 memset 37953->37954 37955 411b8f 37953->37955 38025 409bca GetModuleFileNameW 37954->38025 37967 411a8b 37955->37967 37957 411b0a wcsrchr 37958 411b22 wcscat 37957->37958 37959 411b1f 37957->37959 38026 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 37958->38026 37959->37958 37961 411b67 38027 402afb 37961->38027 37965 411b7f 38083 40ea13 SendMessageW memset SendMessageW 37965->38083 37968 402afb 27 API calls 37967->37968 37969 411ac0 37968->37969 37970 4110dc 37969->37970 37971 41113e 37970->37971 37976 4110f0 37970->37976 38108 40969c LoadCursorW SetCursor 37971->38108 37973 411143 38109 4032b4 37973->38109 38127 444a54 37973->38127 37974 4110f7 _wcsicmp 37974->37976 37975 411157 37977 40ada2 _wcsicmp 37975->37977 37976->37971 37976->37974 38130 410c46 10 API calls 37976->38130 37980 411167 37977->37980 37978 4111af 37980->37978 37981 4111a6 qsort 37980->37981 37981->37978 37984->37781 37986 40eb10 37985->37986 37998 40e8e0 37986->37998 37989 40eb6c memcpy memcpy 37990 40ebb7 37989->37990 37990->37989 37991 40ebf2 ??2@YAPAXI ??2@YAPAXI 37990->37991 37993 40d134 16 API calls 37990->37993 37992 40ec2e ??2@YAPAXI 37991->37992 37996 40ec65 37991->37996 37992->37996 37993->37990 37996->37996 38008 40ea7f 37996->38008 37997 402f49 37997->37781 37999 40e8f2 37998->37999 38000 40e8eb ??3@YAXPAX 37998->38000 38001 40e900 37999->38001 38002 40e8f9 ??3@YAXPAX 37999->38002 38000->37999 38003 40e911 38001->38003 38004 40e90a ??3@YAXPAX 38001->38004 38002->38001 38005 40e931 ??2@YAPAXI ??2@YAPAXI 38003->38005 38006 40e921 ??3@YAXPAX 38003->38006 38007 40e92a ??3@YAXPAX 38003->38007 38004->38003 38005->37989 38006->38007 38007->38005 38009 40aa04 free 38008->38009 38010 40ea88 38009->38010 38011 40aa04 free 38010->38011 38012 40ea90 38011->38012 38013 40aa04 free 38012->38013 38014 40ea98 38013->38014 38015 40aa04 free 38014->38015 38016 40eaa0 38015->38016 38017 40a9ce 4 API calls 38016->38017 38018 40eab3 38017->38018 38019 40a9ce 4 API calls 38018->38019 38020 40eabd 38019->38020 38021 40a9ce 4 API calls 38020->38021 38022 40eac7 38021->38022 38023 40a9ce 4 API calls 38022->38023 38024 40ead1 38023->38024 38024->37997 38025->37957 38026->37961 38084 40b2cc 38027->38084 38029 402b0a 38030 40b2cc 27 API calls 38029->38030 38031 402b23 38030->38031 38032 40b2cc 27 API calls 38031->38032 38033 402b3a 38032->38033 38034 40b2cc 27 API calls 38033->38034 38035 402b54 38034->38035 38036 40b2cc 27 API calls 38035->38036 38037 402b6b 38036->38037 38038 40b2cc 27 API calls 38037->38038 38039 402b82 38038->38039 38040 40b2cc 27 API calls 38039->38040 38041 402b99 38040->38041 38042 40b2cc 27 API calls 38041->38042 38043 402bb0 38042->38043 38044 40b2cc 27 API calls 38043->38044 38045 402bc7 38044->38045 38046 40b2cc 27 API calls 38045->38046 38047 402bde 38046->38047 38048 40b2cc 27 API calls 38047->38048 38049 402bf5 38048->38049 38050 40b2cc 27 API calls 38049->38050 38051 402c0c 38050->38051 38052 40b2cc 27 API calls 38051->38052 38053 402c23 38052->38053 38054 40b2cc 27 API calls 38053->38054 38055 402c3a 38054->38055 38056 40b2cc 27 API calls 38055->38056 38057 402c51 38056->38057 38058 40b2cc 27 API calls 38057->38058 38059 402c68 38058->38059 38060 40b2cc 27 API calls 38059->38060 38061 402c7f 38060->38061 38062 40b2cc 27 API calls 38061->38062 38063 402c99 38062->38063 38064 40b2cc 27 API calls 38063->38064 38065 402cb3 38064->38065 38066 40b2cc 27 API calls 38065->38066 38067 402cd5 38066->38067 38068 40b2cc 27 API calls 38067->38068 38069 402cf0 38068->38069 38070 40b2cc 27 API calls 38069->38070 38071 402d0b 38070->38071 38072 40b2cc 27 API calls 38071->38072 38073 402d26 38072->38073 38074 40b2cc 27 API calls 38073->38074 38075 402d3e 38074->38075 38076 40b2cc 27 API calls 38075->38076 38077 402d59 38076->38077 38078 40b2cc 27 API calls 38077->38078 38079 402d78 38078->38079 38080 40b2cc 27 API calls 38079->38080 38081 402d93 38080->38081 38082 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38081->38082 38082->37965 38083->37955 38087 40b58d 38084->38087 38086 40b2d1 38086->38029 38088 40b5a4 GetModuleHandleW FindResourceW 38087->38088 38089 40b62e 38087->38089 38090 40b5c2 LoadResource 38088->38090 38092 40b5e7 38088->38092 38089->38086 38091 40b5d0 SizeofResource LockResource 38090->38091 38090->38092 38091->38092 38092->38089 38100 40afcf 38092->38100 38094 40b608 memcpy 38103 40b4d3 memcpy 38094->38103 38096 40b61e 38104 40b3c1 18 API calls 38096->38104 38098 40b626 38105 40b04b 38098->38105 38101 40b04b ??3@YAXPAX 38100->38101 38102 40afd7 ??2@YAPAXI 38101->38102 38102->38094 38103->38096 38104->38098 38106 40b051 ??3@YAXPAX 38105->38106 38107 40b05f 38105->38107 38106->38107 38107->38089 38108->37973 38110 4032c4 38109->38110 38111 40b633 free 38110->38111 38112 403316 38111->38112 38131 44553b 38112->38131 38116 403480 38329 40368c 15 API calls 38116->38329 38118 403489 38119 40b633 free 38118->38119 38120 403495 38119->38120 38120->37975 38121 4033a9 memset memcpy 38122 4033ec wcscmp 38121->38122 38123 40333c 38121->38123 38122->38123 38123->38116 38123->38121 38123->38122 38327 4028e7 11 API calls 38123->38327 38328 40f508 6 API calls 38123->38328 38125 403421 _wcsicmp 38125->38123 38128 444a64 FreeLibrary 38127->38128 38129 444a83 38127->38129 38128->38129 38129->37975 38130->37976 38132 445548 38131->38132 38133 445599 38132->38133 38330 40c768 38132->38330 38134 4455a8 memset 38133->38134 38146 4457f2 38133->38146 38413 403988 38134->38413 38141 4458aa 38143 44594a 38141->38143 38144 4458bb memset memset 38141->38144 38142 445672 38424 403fbe memset memset memset memset memset 38142->38424 38148 4459ed 38143->38148 38149 44595e memset memset 38143->38149 38151 414c2e 17 API calls 38144->38151 38153 445854 38146->38153 38515 403e2d memset memset memset memset memset 38146->38515 38156 445a00 memset memset 38148->38156 38157 445b22 38148->38157 38158 414c2e 17 API calls 38149->38158 38150 4455e5 38150->38142 38161 44560f 38150->38161 38159 4458f9 38151->38159 38152 44557a 38154 44558c 38152->38154 38611 4136c0 CoTaskMemFree 38152->38611 38153->38141 38538 403c9c memset memset memset memset memset 38153->38538 38397 444b06 38154->38397 38561 414c2e 38156->38561 38164 445bca 38157->38164 38165 445b38 memset memset memset 38157->38165 38169 44599c 38158->38169 38160 40b2cc 27 API calls 38159->38160 38170 445909 38160->38170 38172 4087b3 338 API calls 38161->38172 38163 445849 38627 40b1ab free free 38163->38627 38171 445c8b memset memset 38164->38171 38228 445cf0 38164->38228 38175 445bd4 38165->38175 38176 445b98 38165->38176 38179 40b2cc 27 API calls 38169->38179 38188 409d1f 6 API calls 38170->38188 38180 414c2e 17 API calls 38171->38180 38189 445621 38172->38189 38173 445585 38612 41366b FreeLibrary 38173->38612 38174 44589f 38628 40b1ab free free 38174->38628 38186 414c2e 17 API calls 38175->38186 38176->38175 38182 445ba2 38176->38182 38191 4459ac 38179->38191 38192 445cc9 38180->38192 38700 4099c6 wcslen 38182->38700 38183 4456b2 38615 40b1ab free free 38183->38615 38185 40b2cc 27 API calls 38195 445a4f 38185->38195 38197 445be2 38186->38197 38187 403335 38326 4452e5 45 API calls 38187->38326 38200 445919 38188->38200 38613 4454bf 20 API calls 38189->38613 38190 445823 38190->38163 38209 4087b3 338 API calls 38190->38209 38201 409d1f 6 API calls 38191->38201 38203 409d1f 6 API calls 38192->38203 38193 445879 38193->38174 38213 4087b3 338 API calls 38193->38213 38577 409d1f wcslen wcslen 38195->38577 38207 40b2cc 27 API calls 38197->38207 38198 445d3d 38226 40b2cc 27 API calls 38198->38226 38199 445d88 memset memset memset 38210 414c2e 17 API calls 38199->38210 38629 409b98 GetFileAttributesW 38200->38629 38202 4459bc 38201->38202 38696 409b98 GetFileAttributesW 38202->38696 38212 445ce1 38203->38212 38204 445bb3 38703 445403 memset 38204->38703 38205 445680 38205->38183 38447 4087b3 memset 38205->38447 38216 445bf3 38207->38216 38209->38190 38219 445dde 38210->38219 38720 409b98 GetFileAttributesW 38212->38720 38213->38193 38225 409d1f 6 API calls 38216->38225 38217 445928 38217->38143 38630 40b6ef 38217->38630 38227 40b2cc 27 API calls 38219->38227 38220 4459cb 38220->38148 38237 40b6ef 253 API calls 38220->38237 38224 40b2cc 27 API calls 38230 445a94 38224->38230 38232 445c07 38225->38232 38233 445d54 _wcsicmp 38226->38233 38236 445def 38227->38236 38228->38187 38228->38198 38228->38199 38229 445389 259 API calls 38229->38164 38582 40ae18 38230->38582 38231 44566d 38231->38146 38498 413d4c 38231->38498 38240 445389 259 API calls 38232->38240 38241 445d71 38233->38241 38303 445d67 38233->38303 38235 445665 38614 40b1ab free free 38235->38614 38242 409d1f 6 API calls 38236->38242 38237->38148 38245 445c17 38240->38245 38721 445093 23 API calls 38241->38721 38248 445e03 38242->38248 38244 4456d8 38250 40b2cc 27 API calls 38244->38250 38251 40b2cc 27 API calls 38245->38251 38247 44563c 38247->38235 38253 4087b3 338 API calls 38247->38253 38722 409b98 GetFileAttributesW 38248->38722 38249 40b6ef 253 API calls 38249->38187 38256 4456e2 38250->38256 38257 445c23 38251->38257 38252 445d83 38252->38187 38253->38247 38255 445e12 38261 445e6b 38255->38261 38265 40b2cc 27 API calls 38255->38265 38616 413fa6 _wcsicmp _wcsicmp 38256->38616 38260 409d1f 6 API calls 38257->38260 38263 445c37 38260->38263 38724 445093 23 API calls 38261->38724 38262 4456eb 38268 4456fd memset memset memset memset 38262->38268 38269 4457ea 38262->38269 38270 445389 259 API calls 38263->38270 38264 445b17 38697 40aebe 38264->38697 38272 445e33 38265->38272 38617 409c70 wcscpy wcsrchr 38268->38617 38620 413d29 38269->38620 38276 445c47 38270->38276 38277 409d1f 6 API calls 38272->38277 38274 445e7e 38278 445f67 38274->38278 38281 40b2cc 27 API calls 38276->38281 38282 445e47 38277->38282 38283 40b2cc 27 API calls 38278->38283 38279 445ab2 memset 38284 40b2cc 27 API calls 38279->38284 38286 445c53 38281->38286 38723 409b98 GetFileAttributesW 38282->38723 38288 445f73 38283->38288 38289 445aa1 38284->38289 38285 409c70 2 API calls 38290 44577e 38285->38290 38291 409d1f 6 API calls 38286->38291 38293 409d1f 6 API calls 38288->38293 38289->38264 38289->38279 38294 409d1f 6 API calls 38289->38294 38589 40add4 38289->38589 38594 445389 38289->38594 38603 40ae51 38289->38603 38295 409c70 2 API calls 38290->38295 38296 445c67 38291->38296 38292 445e56 38292->38261 38300 445e83 memset 38292->38300 38297 445f87 38293->38297 38294->38289 38298 44578d 38295->38298 38299 445389 259 API calls 38296->38299 38727 409b98 GetFileAttributesW 38297->38727 38298->38269 38305 40b2cc 27 API calls 38298->38305 38299->38164 38304 40b2cc 27 API calls 38300->38304 38303->38187 38303->38249 38307 445eab 38304->38307 38306 4457a8 38305->38306 38308 409d1f 6 API calls 38306->38308 38309 409d1f 6 API calls 38307->38309 38310 4457b8 38308->38310 38311 445ebf 38309->38311 38619 409b98 GetFileAttributesW 38310->38619 38313 40ae18 9 API calls 38311->38313 38321 445ef5 38313->38321 38314 4457c7 38314->38269 38316 4087b3 338 API calls 38314->38316 38315 40ae51 9 API calls 38315->38321 38316->38269 38317 445f5c 38318 40aebe FindClose 38317->38318 38318->38278 38319 40add4 2 API calls 38319->38321 38320 40b2cc 27 API calls 38320->38321 38321->38315 38321->38317 38321->38319 38321->38320 38322 409d1f 6 API calls 38321->38322 38324 445f3a 38321->38324 38725 409b98 GetFileAttributesW 38321->38725 38322->38321 38726 445093 23 API calls 38324->38726 38326->38123 38327->38125 38328->38123 38329->38118 38331 40c775 38330->38331 38728 40b1ab free free 38331->38728 38333 40c788 38729 40b1ab free free 38333->38729 38335 40c790 38730 40b1ab free free 38335->38730 38337 40c798 38338 40aa04 free 38337->38338 38339 40c7a0 38338->38339 38731 40c274 memset 38339->38731 38344 40a8ab 9 API calls 38345 40c7c3 38344->38345 38346 40a8ab 9 API calls 38345->38346 38347 40c7d0 38346->38347 38760 40c3c3 38347->38760 38351 40c877 38360 40bdb0 38351->38360 38352 40c86c 38802 4053fe 39 API calls 38352->38802 38358 40c7e5 38358->38351 38358->38352 38359 40c634 50 API calls 38358->38359 38785 40a706 38358->38785 38359->38358 39065 404363 38360->39065 38364 40bdee 38367 40b2cc 27 API calls 38364->38367 38369 40bf5d 38364->38369 38365 40bddf CredEnumerateW 38365->38364 38368 40be02 wcslen 38367->38368 38368->38369 38377 40be1e 38368->38377 39085 40440c 38369->39085 38370 40be26 wcsncmp 38370->38377 38373 40be7d memset 38374 40bea7 memcpy 38373->38374 38373->38377 38375 40bf11 wcschr 38374->38375 38374->38377 38375->38377 38376 40b2cc 27 API calls 38378 40bef6 _wcsnicmp 38376->38378 38377->38369 38377->38370 38377->38373 38377->38374 38377->38375 38377->38376 38379 40bf43 LocalFree 38377->38379 39088 40bd5d 28 API calls 38377->39088 39089 404423 38377->39089 38378->38375 38378->38377 38379->38377 38380 4135f7 39104 4135e0 38380->39104 38383 40b2cc 27 API calls 38384 41360d 38383->38384 38385 40a804 8 API calls 38384->38385 38386 413613 38385->38386 38387 41361b 38386->38387 38388 41363e 38386->38388 38389 40b273 27 API calls 38387->38389 38390 4135e0 FreeLibrary 38388->38390 38391 413625 GetProcAddress 38389->38391 38392 413643 38390->38392 38391->38388 38393 413648 38391->38393 38392->38152 38394 413658 38393->38394 38395 4135e0 FreeLibrary 38393->38395 38394->38152 38396 413666 38395->38396 38396->38152 39107 4449b9 38397->39107 38400 444c1f 38400->38133 38401 4449b9 42 API calls 38403 444b4b 38401->38403 38402 444c15 38405 4449b9 42 API calls 38402->38405 38403->38402 39128 444972 GetVersionExW 38403->39128 38405->38400 38414 40399d 38413->38414 39133 403a16 38414->39133 38417 403a12 wcsrchr 38417->38150 38418 4039a3 38421 4039f4 38418->38421 38423 403a09 38418->38423 39144 40a02c CreateFileW 38418->39144 38422 4099c6 2 API calls 38421->38422 38421->38423 38422->38423 39147 40b1ab free free 38423->39147 38425 414c2e 17 API calls 38424->38425 38426 404048 38425->38426 38427 414c2e 17 API calls 38426->38427 38428 404056 38427->38428 38429 409d1f 6 API calls 38428->38429 38430 404073 38429->38430 38431 409d1f 6 API calls 38430->38431 38432 40408e 38431->38432 38433 409d1f 6 API calls 38432->38433 38434 4040a6 38433->38434 38435 403af5 20 API calls 38434->38435 38436 4040ba 38435->38436 38437 403af5 20 API calls 38436->38437 38438 4040cb 38437->38438 39174 40414f memset 38438->39174 38440 404140 39188 40b1ab free free 38440->39188 38442 4040ec memset 38445 4040e0 38442->38445 38443 404148 38443->38205 38444 4099c6 2 API calls 38444->38445 38445->38440 38445->38442 38445->38444 38446 40a8ab 9 API calls 38445->38446 38446->38445 39201 40a6e6 WideCharToMultiByte 38447->39201 38449 4087ed 39202 4095d9 memset 38449->39202 38452 408809 memset memset memset memset memset 38453 40b2cc 27 API calls 38452->38453 38454 4088a1 38453->38454 38455 409d1f 6 API calls 38454->38455 38456 4088b1 38455->38456 38457 40b2cc 27 API calls 38456->38457 38458 4088c0 38457->38458 38459 409d1f 6 API calls 38458->38459 38460 4088d0 38459->38460 38480 408953 38480->38205 38499 40b633 free 38498->38499 38500 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38499->38500 38501 413f00 Process32NextW 38500->38501 38502 413da5 OpenProcess 38501->38502 38503 413f17 CloseHandle 38501->38503 38504 413df3 memset 38502->38504 38508 413eb0 38502->38508 38503->38244 39627 413f27 38504->39627 38506 413ebf free 38506->38508 38507 413e1f 38510 413e37 GetModuleHandleW 38507->38510 39632 413959 38507->39632 39648 413ca4 38507->39648 38508->38501 38508->38506 38509 4099f4 3 API calls 38508->38509 38509->38508 38510->38507 38512 413e46 GetProcAddress 38510->38512 38512->38507 38514 413ea2 CloseHandle 38514->38508 38516 414c2e 17 API calls 38515->38516 38517 403eb7 38516->38517 38518 414c2e 17 API calls 38517->38518 38519 403ec5 38518->38519 38520 409d1f 6 API calls 38519->38520 38521 403ee2 38520->38521 38522 409d1f 6 API calls 38521->38522 38523 403efd 38522->38523 38524 409d1f 6 API calls 38523->38524 38525 403f15 38524->38525 38526 403af5 20 API calls 38525->38526 38527 403f29 38526->38527 38528 403af5 20 API calls 38527->38528 38529 403f3a 38528->38529 38530 40414f 33 API calls 38529->38530 38536 403f4f 38530->38536 38531 403faf 39662 40b1ab free free 38531->39662 38533 403f5b memset 38533->38536 38534 403fb7 38534->38190 38535 4099c6 2 API calls 38535->38536 38536->38531 38536->38533 38536->38535 38537 40a8ab 9 API calls 38536->38537 38537->38536 38539 414c2e 17 API calls 38538->38539 38540 403d26 38539->38540 38541 414c2e 17 API calls 38540->38541 38542 403d34 38541->38542 38543 409d1f 6 API calls 38542->38543 38544 403d51 38543->38544 38545 409d1f 6 API calls 38544->38545 38546 403d6c 38545->38546 38547 409d1f 6 API calls 38546->38547 38548 403d84 38547->38548 38549 403af5 20 API calls 38548->38549 38550 403d98 38549->38550 38551 403af5 20 API calls 38550->38551 38552 403da9 38551->38552 38553 40414f 33 API calls 38552->38553 38559 403dbe 38553->38559 38554 403e1e 39663 40b1ab free free 38554->39663 38556 403dca memset 38556->38559 38557 403e26 38557->38193 38558 4099c6 2 API calls 38558->38559 38559->38554 38559->38556 38559->38558 38560 40a8ab 9 API calls 38559->38560 38560->38559 38562 414b81 9 API calls 38561->38562 38563 414c40 38562->38563 38564 414c73 memset 38563->38564 39664 409cea 38563->39664 38566 414c94 38564->38566 39667 414592 RegOpenKeyExW 38566->39667 38568 414c64 SHGetSpecialFolderPathW 38570 414d0b 38568->38570 38570->38185 38571 414cf4 wcscpy 38571->38570 38572 414cc1 38572->38571 39668 414bb0 wcscpy 38572->39668 38574 414cd2 39669 4145ac RegQueryValueExW 38574->39669 38576 414ce9 RegCloseKey 38576->38571 38578 409d62 38577->38578 38579 409d43 wcscpy 38577->38579 38578->38224 38580 409719 2 API calls 38579->38580 38581 409d51 wcscat 38580->38581 38581->38578 38583 40aebe FindClose 38582->38583 38584 40ae21 38583->38584 38585 4099c6 2 API calls 38584->38585 38586 40ae35 38585->38586 38587 409d1f 6 API calls 38586->38587 38588 40ae49 38587->38588 38588->38289 38590 40ade0 38589->38590 38591 40ae0f 38589->38591 38590->38591 38592 40ade7 wcscmp 38590->38592 38591->38289 38592->38591 38593 40adfe wcscmp 38592->38593 38593->38591 38595 40ae18 9 API calls 38594->38595 38597 4453c4 38595->38597 38596 40ae51 9 API calls 38596->38597 38597->38596 38598 4453f3 38597->38598 38599 40add4 2 API calls 38597->38599 38602 445403 254 API calls 38597->38602 38600 40aebe FindClose 38598->38600 38599->38597 38601 4453fe 38600->38601 38601->38289 38602->38597 38604 40ae7b FindNextFileW 38603->38604 38605 40ae5c FindFirstFileW 38603->38605 38606 40ae94 38604->38606 38607 40ae8f 38604->38607 38605->38606 38609 40aeb6 38606->38609 38610 409d1f 6 API calls 38606->38610 38608 40aebe FindClose 38607->38608 38608->38606 38609->38289 38610->38609 38611->38173 38612->38154 38613->38247 38614->38231 38615->38231 38616->38262 38618 409c89 38617->38618 38618->38285 38619->38314 38621 413d39 38620->38621 38622 413d2f FreeLibrary 38620->38622 38623 40b633 free 38621->38623 38622->38621 38624 413d42 38623->38624 38625 40b633 free 38624->38625 38626 413d4a 38625->38626 38626->38146 38627->38153 38628->38141 38629->38217 38631 44db70 38630->38631 38632 40b6fc memset 38631->38632 38633 409c70 2 API calls 38632->38633 38634 40b732 wcsrchr 38633->38634 38635 40b743 38634->38635 38636 40b746 memset 38634->38636 38635->38636 38637 40b2cc 27 API calls 38636->38637 38638 40b76f 38637->38638 38639 409d1f 6 API calls 38638->38639 38640 40b783 38639->38640 39670 409b98 GetFileAttributesW 38640->39670 38642 40b792 38643 40b7c2 38642->38643 38644 409c70 2 API calls 38642->38644 39671 40bb98 38643->39671 38646 40b7a5 38644->38646 38650 40b2cc 27 API calls 38646->38650 38648 40b837 CloseHandle 38652 40b83e memset 38648->38652 38649 40b817 38651 409a45 3 API calls 38649->38651 38653 40b7b2 38650->38653 38654 40b827 CopyFileW 38651->38654 39704 40a6e6 WideCharToMultiByte 38652->39704 38656 409d1f 6 API calls 38653->38656 38654->38652 38656->38643 38657 40b866 38658 444432 121 API calls 38657->38658 38659 40b879 38658->38659 38660 40bad5 38659->38660 38661 40b273 27 API calls 38659->38661 38662 40baeb 38660->38662 38663 40bade DeleteFileW 38660->38663 38664 40b89a 38661->38664 38665 40b04b ??3@YAXPAX 38662->38665 38663->38662 38667 438552 134 API calls 38664->38667 38666 40baf3 38665->38666 38666->38143 38668 40b8a4 38667->38668 38669 40bacd 38668->38669 38671 4251c4 137 API calls 38668->38671 38670 443d90 111 API calls 38669->38670 38670->38660 38693 40b8b8 38671->38693 38672 40bac6 39714 424f26 123 API calls 38672->39714 38673 40b8bd memset 39705 425413 17 API calls 38673->39705 38676 425413 17 API calls 38676->38693 38679 40a71b MultiByteToWideChar 38679->38693 38682 40b9b5 memcmp 38682->38693 38683 4099c6 2 API calls 38683->38693 38684 404423 38 API calls 38684->38693 38687 4251c4 137 API calls 38687->38693 38688 40bb3e memset memcpy 39715 40a734 MultiByteToWideChar 38688->39715 38690 40bb88 LocalFree 38690->38693 38693->38672 38693->38673 38693->38676 38693->38679 38693->38682 38693->38683 38693->38684 38693->38687 38693->38688 38694 40ba5f memcmp 38693->38694 38695 40a734 MultiByteToWideChar 38693->38695 39706 4253ef 16 API calls 38693->39706 39707 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38693->39707 39708 4253af 17 API calls 38693->39708 39709 4253cf 17 API calls 38693->39709 39710 447280 memset 38693->39710 39711 447960 memset memcpy memcpy memcpy 38693->39711 39712 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38693->39712 39713 447920 memcpy memcpy memcpy 38693->39713 38694->38693 38695->38693 38696->38220 38698 40aed1 38697->38698 38699 40aec7 FindClose 38697->38699 38698->38157 38699->38698 38701 4099d7 38700->38701 38702 4099da memcpy 38700->38702 38701->38702 38702->38204 38704 40b2cc 27 API calls 38703->38704 38705 44543f 38704->38705 38706 409d1f 6 API calls 38705->38706 38707 44544f 38706->38707 39799 409b98 GetFileAttributesW 38707->39799 38709 44545e 38710 445476 38709->38710 38711 40b6ef 253 API calls 38709->38711 38712 40b2cc 27 API calls 38710->38712 38711->38710 38713 445482 38712->38713 38714 409d1f 6 API calls 38713->38714 38715 445492 38714->38715 39800 409b98 GetFileAttributesW 38715->39800 38717 4454a1 38718 4454b9 38717->38718 38719 40b6ef 253 API calls 38717->38719 38718->38229 38719->38718 38720->38228 38721->38252 38722->38255 38723->38292 38724->38274 38725->38321 38726->38321 38727->38303 38728->38333 38729->38335 38730->38337 38732 414c2e 17 API calls 38731->38732 38733 40c2ae 38732->38733 38803 40c1d3 38733->38803 38738 40c3be 38755 40a8ab 38738->38755 38739 40afcf 2 API calls 38740 40c2fd FindFirstUrlCacheEntryW 38739->38740 38741 40c3b6 38740->38741 38742 40c31e wcschr 38740->38742 38743 40b04b ??3@YAXPAX 38741->38743 38744 40c331 38742->38744 38745 40c35e FindNextUrlCacheEntryW 38742->38745 38743->38738 38747 40a8ab 9 API calls 38744->38747 38745->38742 38746 40c373 GetLastError 38745->38746 38748 40c3ad FindCloseUrlCache 38746->38748 38749 40c37e 38746->38749 38750 40c33e wcschr 38747->38750 38748->38741 38751 40afcf 2 API calls 38749->38751 38750->38745 38752 40c34f 38750->38752 38753 40c391 FindNextUrlCacheEntryW 38751->38753 38754 40a8ab 9 API calls 38752->38754 38753->38742 38753->38748 38754->38745 38992 40a97a 38755->38992 38758 40a8cc 38758->38344 38759 40a8d0 7 API calls 38759->38758 38997 40b1ab free free 38760->38997 38762 40c3dd 38763 40b2cc 27 API calls 38762->38763 38764 40c3e7 38763->38764 38998 414592 RegOpenKeyExW 38764->38998 38766 40c3f4 38767 40c50e 38766->38767 38768 40c3ff 38766->38768 38782 405337 38767->38782 38769 40a9ce 4 API calls 38768->38769 38770 40c418 memset 38769->38770 38999 40aa1d 38770->38999 38773 40c471 38775 40c47a _wcsupr 38773->38775 38774 40c505 RegCloseKey 38774->38767 38776 40a8d0 7 API calls 38775->38776 38777 40c498 38776->38777 38778 40a8d0 7 API calls 38777->38778 38779 40c4ac memset 38778->38779 38780 40aa1d 38779->38780 38781 40c4e4 RegEnumValueW 38780->38781 38781->38774 38781->38775 39001 405220 38782->39001 38786 4099c6 2 API calls 38785->38786 38787 40a714 _wcslwr 38786->38787 38788 40c634 38787->38788 39058 405361 38788->39058 38791 40c65c wcslen 39061 4053b6 39 API calls 38791->39061 38792 40c71d wcslen 38792->38358 38794 40c677 38795 40c713 38794->38795 39062 40538b 39 API calls 38794->39062 39064 4053df 39 API calls 38795->39064 38798 40c6a5 38798->38795 38799 40c6a9 memset 38798->38799 38800 40c6d3 38799->38800 39063 40c589 44 API calls 38800->39063 38802->38351 38804 40ae18 9 API calls 38803->38804 38810 40c210 38804->38810 38805 40ae51 9 API calls 38805->38810 38806 40c264 38807 40aebe FindClose 38806->38807 38809 40c26f 38807->38809 38808 40add4 2 API calls 38808->38810 38815 40e5ed memset memset 38809->38815 38810->38805 38810->38806 38810->38808 38811 40c231 _wcsicmp 38810->38811 38812 40c1d3 35 API calls 38810->38812 38811->38810 38813 40c248 38811->38813 38812->38810 38828 40c084 22 API calls 38813->38828 38816 414c2e 17 API calls 38815->38816 38817 40e63f 38816->38817 38818 409d1f 6 API calls 38817->38818 38819 40e658 38818->38819 38829 409b98 GetFileAttributesW 38819->38829 38821 40e667 38823 409d1f 6 API calls 38821->38823 38825 40e680 38821->38825 38823->38825 38824 40e68f 38826 40c2d8 38824->38826 38831 40e4b2 38824->38831 38830 409b98 GetFileAttributesW 38825->38830 38826->38738 38826->38739 38828->38810 38829->38821 38830->38824 38852 40e01e 38831->38852 38833 40e593 38834 40e5b0 38833->38834 38835 40e59c DeleteFileW 38833->38835 38836 40b04b ??3@YAXPAX 38834->38836 38835->38834 38838 40e5bb 38836->38838 38837 40e521 38837->38833 38875 40e175 38837->38875 38840 40e5c4 CloseHandle 38838->38840 38841 40e5cc 38838->38841 38840->38841 38843 40b633 free 38841->38843 38842 40e573 38845 40e584 38842->38845 38846 40e57c CloseHandle 38842->38846 38844 40e5db 38843->38844 38849 40b633 free 38844->38849 38918 40b1ab free free 38845->38918 38846->38845 38848 40e540 38848->38842 38895 40e2ab 38848->38895 38850 40e5e3 38849->38850 38850->38826 38919 406214 38852->38919 38855 40e16b 38855->38837 38858 40afcf 2 API calls 38859 40e08d OpenProcess 38858->38859 38860 40e0a4 GetCurrentProcess DuplicateHandle 38859->38860 38864 40e152 38859->38864 38861 40e0d0 GetFileSize 38860->38861 38862 40e14a CloseHandle 38860->38862 38955 409a45 GetTempPathW 38861->38955 38862->38864 38863 40e160 38867 40b04b ??3@YAXPAX 38863->38867 38864->38863 38866 406214 22 API calls 38864->38866 38866->38863 38867->38855 38868 40e0ea 38958 4096dc CreateFileW 38868->38958 38870 40e0f1 CreateFileMappingW 38871 40e140 CloseHandle CloseHandle 38870->38871 38872 40e10b MapViewOfFile 38870->38872 38871->38862 38873 40e13b CloseHandle 38872->38873 38874 40e11f WriteFile UnmapViewOfFile 38872->38874 38873->38871 38874->38873 38876 40e18c 38875->38876 38959 406b90 38876->38959 38879 40e1a7 memset 38885 40e1e8 38879->38885 38880 40e299 38969 4069a3 38880->38969 38886 40e283 38885->38886 38887 40dd50 _wcsicmp 38885->38887 38893 40e244 _snwprintf 38885->38893 38976 406e8f 13 API calls 38885->38976 38977 40742e 8 API calls 38885->38977 38978 40aae3 wcslen wcslen _memicmp 38885->38978 38979 406b53 SetFilePointerEx ReadFile 38885->38979 38888 40e291 38886->38888 38889 40e288 free 38886->38889 38887->38885 38890 40aa04 free 38888->38890 38889->38888 38890->38880 38894 40a8d0 7 API calls 38893->38894 38894->38885 38896 40e2c2 38895->38896 38897 406b90 11 API calls 38896->38897 38912 40e2d3 38897->38912 38898 40e4a0 38899 4069a3 2 API calls 38898->38899 38900 40e4ab 38899->38900 38900->38848 38903 40e489 38904 40aa04 free 38903->38904 38906 40e491 38904->38906 38905 40dd50 _wcsicmp 38905->38912 38906->38898 38907 40e497 free 38906->38907 38907->38898 38909 40e376 memset 38982 40aa29 38909->38982 38912->38898 38912->38903 38912->38905 38913 40e3e0 memcpy 38912->38913 38914 40e3b3 wcschr 38912->38914 38915 40e3fb memcpy 38912->38915 38916 40e416 memcpy 38912->38916 38917 40e431 memcpy 38912->38917 38980 406e8f 13 API calls 38912->38980 38981 40dd50 _wcsicmp 38912->38981 38990 40742e 8 API calls 38912->38990 38991 406b53 SetFilePointerEx ReadFile 38912->38991 38913->38912 38914->38912 38915->38912 38916->38912 38917->38912 38918->38833 38920 406294 CloseHandle 38919->38920 38921 406224 38920->38921 38922 4096c3 CreateFileW 38921->38922 38923 40622d 38922->38923 38924 406281 GetLastError 38923->38924 38926 40a2ef ReadFile 38923->38926 38925 40625a 38924->38925 38925->38855 38930 40dd85 memset 38925->38930 38927 406244 38926->38927 38927->38924 38928 40624b 38927->38928 38928->38925 38929 406777 19 API calls 38928->38929 38929->38925 38931 409bca GetModuleFileNameW 38930->38931 38932 40ddbe CreateFileW 38931->38932 38935 40ddf1 38932->38935 38933 40afcf ??2@YAPAXI ??3@YAXPAX 38933->38935 38934 41352f 9 API calls 38934->38935 38935->38933 38935->38934 38936 40de0b NtQuerySystemInformation 38935->38936 38937 40de3b CloseHandle GetCurrentProcessId 38935->38937 38936->38935 38938 40de54 38937->38938 38939 413d4c 46 API calls 38938->38939 38948 40de88 38939->38948 38940 40e00c 38941 413d29 free FreeLibrary 38940->38941 38942 40e014 38941->38942 38942->38855 38942->38858 38943 40dea9 _wcsicmp 38944 40dee7 OpenProcess 38943->38944 38945 40debd _wcsicmp 38943->38945 38944->38948 38945->38944 38946 40ded0 _wcsicmp 38945->38946 38946->38944 38946->38948 38947 40dfef CloseHandle 38947->38948 38948->38940 38948->38943 38948->38947 38949 40df78 38948->38949 38950 40df23 GetCurrentProcess DuplicateHandle 38948->38950 38953 40df8f CloseHandle 38948->38953 38949->38947 38949->38953 38954 40dfae _wcsicmp 38949->38954 38950->38948 38951 40df4c memset 38950->38951 38952 41352f 9 API calls 38951->38952 38952->38948 38953->38949 38954->38948 38954->38949 38956 409a74 GetTempFileNameW 38955->38956 38957 409a66 GetWindowsDirectoryW 38955->38957 38956->38868 38957->38956 38958->38870 38960 406bd5 38959->38960 38963 406bad 38959->38963 38962 4066bf free malloc memcpy free free 38960->38962 38968 406c0f 38960->38968 38961 406bba _wcsicmp 38961->38960 38961->38963 38964 406be5 38962->38964 38963->38960 38963->38961 38965 40afcf ??2@YAPAXI ??3@YAXPAX 38964->38965 38964->38968 38966 406bff 38965->38966 38967 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 38966->38967 38967->38968 38968->38879 38968->38880 38970 4069c4 ??3@YAXPAX 38969->38970 38971 4069af 38970->38971 38972 40b633 free 38971->38972 38973 4069ba 38972->38973 38974 40b04b ??3@YAXPAX 38973->38974 38975 4069c2 38974->38975 38975->38848 38976->38885 38977->38885 38978->38885 38979->38885 38980->38912 38981->38909 38983 40aa33 38982->38983 38984 40aa63 38982->38984 38985 40aa44 38983->38985 38986 40aa38 wcslen 38983->38986 38984->38912 38987 40a9ce malloc memcpy free free 38985->38987 38986->38985 38988 40aa4d 38987->38988 38988->38984 38989 40aa51 memcpy 38988->38989 38989->38984 38990->38912 38991->38912 38994 40a980 38992->38994 38993 40a8bb 38993->38758 38993->38759 38994->38993 38995 40a995 _wcsicmp 38994->38995 38996 40a99c wcscmp 38994->38996 38995->38994 38996->38994 38997->38762 38998->38766 39000 40aa23 RegEnumValueW 38999->39000 39000->38773 39000->38774 39002 405335 39001->39002 39003 40522a 39001->39003 39002->38358 39004 40b2cc 27 API calls 39003->39004 39005 405234 39004->39005 39006 40a804 8 API calls 39005->39006 39007 40523a 39006->39007 39046 40b273 39007->39046 39009 405248 _mbscpy _mbscat GetProcAddress 39010 40b273 27 API calls 39009->39010 39011 405279 39010->39011 39049 405211 GetProcAddress 39011->39049 39013 405282 39014 40b273 27 API calls 39013->39014 39015 40528f 39014->39015 39050 405211 GetProcAddress 39015->39050 39017 405298 39018 40b273 27 API calls 39017->39018 39019 4052a5 39018->39019 39051 405211 GetProcAddress 39019->39051 39021 4052ae 39022 40b273 27 API calls 39021->39022 39023 4052bb 39022->39023 39052 405211 GetProcAddress 39023->39052 39025 4052c4 39026 40b273 27 API calls 39025->39026 39027 4052d1 39026->39027 39053 405211 GetProcAddress 39027->39053 39029 4052da 39030 40b273 27 API calls 39029->39030 39031 4052e7 39030->39031 39047 40b58d 27 API calls 39046->39047 39048 40b18c 39047->39048 39048->39009 39049->39013 39050->39017 39051->39021 39052->39025 39053->39029 39059 405220 39 API calls 39058->39059 39060 405369 39059->39060 39060->38791 39060->38792 39061->38794 39062->38798 39063->38795 39064->38792 39066 40440c FreeLibrary 39065->39066 39067 40436d 39066->39067 39068 40a804 8 API calls 39067->39068 39069 404377 39068->39069 39070 404383 39069->39070 39071 404405 39069->39071 39072 40b273 27 API calls 39070->39072 39071->38364 39071->38365 39071->38369 39073 40438d GetProcAddress 39072->39073 39074 40b273 27 API calls 39073->39074 39075 4043a7 GetProcAddress 39074->39075 39076 40b273 27 API calls 39075->39076 39077 4043ba GetProcAddress 39076->39077 39078 40b273 27 API calls 39077->39078 39079 4043ce GetProcAddress 39078->39079 39080 40b273 27 API calls 39079->39080 39081 4043e2 GetProcAddress 39080->39081 39082 4043f1 39081->39082 39083 4043f7 39082->39083 39084 40440c FreeLibrary 39082->39084 39083->39071 39084->39071 39086 404413 FreeLibrary 39085->39086 39087 40441e 39085->39087 39086->39087 39087->38380 39088->38377 39090 40447e 39089->39090 39091 40442e 39089->39091 39092 404485 CryptUnprotectData 39090->39092 39093 40449c 39090->39093 39094 40b2cc 27 API calls 39091->39094 39092->39093 39093->38377 39095 404438 39094->39095 39096 40a804 8 API calls 39095->39096 39097 40443e 39096->39097 39098 404445 39097->39098 39099 404467 39097->39099 39100 40b273 27 API calls 39098->39100 39099->39090 39101 404475 FreeLibrary 39099->39101 39102 40444f GetProcAddress 39100->39102 39101->39090 39102->39099 39103 404460 39102->39103 39103->39099 39105 4135f6 39104->39105 39106 4135eb FreeLibrary 39104->39106 39105->38383 39106->39105 39108 4449c4 39107->39108 39109 444a52 39107->39109 39110 40b2cc 27 API calls 39108->39110 39109->38400 39109->38401 39111 4449cb 39110->39111 39112 40a804 8 API calls 39111->39112 39134 403a29 39133->39134 39148 403bed memset memset 39134->39148 39136 403a2f 39137 403ae7 39136->39137 39138 403a3f memset 39136->39138 39141 409b98 GetFileAttributesW 39136->39141 39142 40a8d0 7 API calls 39136->39142 39143 409d1f 6 API calls 39136->39143 39161 40b1ab free free 39137->39161 39138->39136 39140 403aef 39140->38418 39141->39136 39142->39136 39143->39136 39145 40a051 GetFileTime CloseHandle 39144->39145 39146 4039ca CompareFileTime 39144->39146 39145->39146 39146->38418 39147->38417 39149 414c2e 17 API calls 39148->39149 39150 403c38 39149->39150 39151 409719 2 API calls 39150->39151 39152 403c3f wcscat 39151->39152 39153 414c2e 17 API calls 39152->39153 39154 403c61 39153->39154 39155 409719 2 API calls 39154->39155 39156 403c68 wcscat 39155->39156 39162 403af5 39156->39162 39159 403af5 20 API calls 39160 403c95 39159->39160 39160->39136 39161->39140 39163 403b02 39162->39163 39164 40ae18 9 API calls 39163->39164 39172 403b37 39164->39172 39165 403bdb 39166 40aebe FindClose 39165->39166 39167 403be6 39166->39167 39167->39159 39168 40ae18 9 API calls 39168->39172 39169 40ae51 9 API calls 39169->39172 39170 40add4 wcscmp wcscmp 39170->39172 39171 40aebe FindClose 39171->39172 39172->39165 39172->39168 39172->39169 39172->39170 39172->39171 39173 40a8d0 7 API calls 39172->39173 39173->39172 39175 409d1f 6 API calls 39174->39175 39176 404190 39175->39176 39189 409b98 GetFileAttributesW 39176->39189 39178 40419c 39179 4041a7 6 API calls 39178->39179 39180 40435c 39178->39180 39182 40424f 39179->39182 39180->38445 39182->39180 39183 40425e memset 39182->39183 39185 409d1f 6 API calls 39182->39185 39186 40a8ab 9 API calls 39182->39186 39190 414842 39182->39190 39183->39182 39184 404296 wcscpy 39183->39184 39184->39182 39185->39182 39187 4042b6 memset memset _snwprintf wcscpy 39186->39187 39187->39182 39188->38443 39189->39178 39193 41443e 39190->39193 39192 414866 39192->39182 39194 41444b 39193->39194 39195 414451 39194->39195 39196 4144a3 GetPrivateProfileStringW 39194->39196 39197 414491 39195->39197 39198 414455 wcschr 39195->39198 39196->39192 39199 414495 WritePrivateProfileStringW 39197->39199 39198->39197 39200 414463 _snwprintf 39198->39200 39199->39192 39200->39199 39201->38449 39203 40b2cc 27 API calls 39202->39203 39204 409615 39203->39204 39205 409d1f 6 API calls 39204->39205 39206 409625 39205->39206 39231 409b98 GetFileAttributesW 39206->39231 39208 409634 39209 409648 39208->39209 39232 4091b8 memset 39208->39232 39211 40b2cc 27 API calls 39209->39211 39213 408801 39209->39213 39212 40965d 39211->39212 39214 409d1f 6 API calls 39212->39214 39213->38452 39213->38480 39215 40966d 39214->39215 39284 409b98 GetFileAttributesW 39215->39284 39217 40967c 39217->39213 39218 409681 39217->39218 39285 409529 72 API calls 39218->39285 39220 409690 39220->39213 39231->39208 39286 40a6e6 WideCharToMultiByte 39232->39286 39234 409202 39287 444432 39234->39287 39237 40b273 27 API calls 39238 409236 39237->39238 39333 438552 39238->39333 39264 40951d 39264->39209 39284->39217 39285->39220 39286->39234 39383 4438b5 39287->39383 39289 44444c 39290 409215 39289->39290 39397 415a6d 39289->39397 39290->39237 39290->39264 39293 444486 39384 4438d0 39383->39384 39394 4438c9 39383->39394 39471 415378 memcpy memcpy 39384->39471 39394->39289 39398 415a77 39397->39398 39399 415a8d 39398->39399 39400 415a7e memset 39398->39400 39399->39293 39400->39399 39654 413f4f 39627->39654 39630 413f37 K32GetModuleFileNameExW 39631 413f4a 39630->39631 39631->38507 39633 413969 wcscpy 39632->39633 39634 41396c wcschr 39632->39634 39644 413a3a 39633->39644 39634->39633 39636 41398e 39634->39636 39659 4097f7 wcslen wcslen _memicmp 39636->39659 39638 41399a 39639 4139a4 memset 39638->39639 39640 4139e6 39638->39640 39660 409dd5 GetWindowsDirectoryW wcscpy 39639->39660 39642 413a31 wcscpy 39640->39642 39643 4139ec memset 39640->39643 39642->39644 39661 409dd5 GetWindowsDirectoryW wcscpy 39643->39661 39644->38507 39645 4139c9 wcscpy wcscat 39645->39644 39647 413a11 memcpy wcscat 39647->39644 39649 413cb0 GetModuleHandleW 39648->39649 39650 413cda 39648->39650 39649->39650 39653 413cbf GetProcAddress 39649->39653 39651 413ce3 GetProcessTimes 39650->39651 39652 413cf6 39650->39652 39651->38514 39652->38514 39653->39650 39655 413f2f 39654->39655 39656 413f54 39654->39656 39655->39630 39655->39631 39657 40a804 8 API calls 39656->39657 39658 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39657->39658 39658->39655 39659->39638 39660->39645 39661->39647 39662->38534 39663->38557 39665 409cf9 GetVersionExW 39664->39665 39666 409d0a 39664->39666 39665->39666 39666->38564 39666->38568 39667->38572 39668->38574 39669->38576 39670->38642 39672 40bba5 39671->39672 39716 40cc26 39672->39716 39675 40bd4b 39737 40cc0c 39675->39737 39680 40b2cc 27 API calls 39681 40bbef 39680->39681 39744 40ccf0 _wcsicmp 39681->39744 39683 40bbf5 39683->39675 39745 40ccb4 6 API calls 39683->39745 39685 40bc26 39686 40cf04 17 API calls 39685->39686 39687 40bc2e 39686->39687 39688 40bd43 39687->39688 39689 40b2cc 27 API calls 39687->39689 39690 40cc0c 4 API calls 39688->39690 39691 40bc40 39689->39691 39690->39675 39746 40ccf0 _wcsicmp 39691->39746 39693 40bc46 39693->39688 39694 40bc61 memset memset WideCharToMultiByte 39693->39694 39747 40103c strlen 39694->39747 39696 40bcc0 39697 40b273 27 API calls 39696->39697 39698 40bcd0 memcmp 39697->39698 39698->39688 39699 40bce2 39698->39699 39700 404423 38 API calls 39699->39700 39701 40bd10 39700->39701 39701->39688 39702 40bd3a LocalFree 39701->39702 39703 40bd1f memcpy 39701->39703 39702->39688 39703->39702 39704->38657 39705->38693 39706->38693 39707->38693 39708->38693 39709->38693 39710->38693 39711->38693 39712->38693 39713->38693 39714->38669 39715->38690 39748 4096c3 CreateFileW 39716->39748 39718 40cc34 39719 40cc3d GetFileSize 39718->39719 39727 40bbca 39718->39727 39720 40afcf 2 API calls 39719->39720 39721 40cc64 39720->39721 39749 40a2ef ReadFile 39721->39749 39723 40cc71 39750 40ab4a MultiByteToWideChar 39723->39750 39725 40cc95 CloseHandle 39726 40b04b ??3@YAXPAX 39725->39726 39726->39727 39727->39675 39728 40cf04 39727->39728 39729 40b633 free 39728->39729 39730 40cf14 39729->39730 39756 40b1ab free free 39730->39756 39732 40bbdd 39732->39675 39732->39680 39733 40cf1b 39733->39732 39734 40cfef 39733->39734 39757 40cd4b 39733->39757 39736 40cd4b 14 API calls 39734->39736 39736->39732 39738 40b633 free 39737->39738 39739 40cc15 39738->39739 39740 40aa04 free 39739->39740 39741 40cc1d 39740->39741 39798 40b1ab free free 39741->39798 39743 40b7d4 memset CreateFileW 39743->38648 39743->38649 39744->39683 39745->39685 39746->39693 39747->39696 39748->39718 39749->39723 39751 40ab6b 39750->39751 39755 40ab93 39750->39755 39752 40a9ce 4 API calls 39751->39752 39753 40ab74 39752->39753 39754 40ab7c MultiByteToWideChar 39753->39754 39754->39755 39755->39725 39756->39733 39758 40cd7b 39757->39758 39759 40aa29 6 API calls 39758->39759 39763 40cd89 39759->39763 39760 40cef5 39761 40aa04 free 39760->39761 39762 40cefd 39761->39762 39762->39733 39763->39760 39764 40aa29 6 API calls 39763->39764 39765 40ce1d 39764->39765 39766 40aa29 6 API calls 39765->39766 39767 40ce3e 39766->39767 39768 40ce6a 39767->39768 39791 40abb7 wcslen memmove 39767->39791 39769 40ce9f 39768->39769 39794 40abb7 wcslen memmove 39768->39794 39772 40a8d0 7 API calls 39769->39772 39775 40ceb5 39772->39775 39773 40ce56 39792 40aa71 wcslen 39773->39792 39774 40ce8b 39795 40aa71 wcslen 39774->39795 39780 40a8d0 7 API calls 39775->39780 39778 40ce5e 39793 40abb7 wcslen memmove 39778->39793 39782 40cecb 39780->39782 39781 40ce93 39796 40abb7 wcslen memmove 39781->39796 39797 40d00b malloc memcpy free free 39782->39797 39785 40cedd 39786 40aa04 free 39785->39786 39787 40cee5 39786->39787 39788 40aa04 free 39787->39788 39789 40ceed 39788->39789 39790 40aa04 free 39789->39790 39790->39760 39791->39773 39792->39778 39793->39768 39794->39774 39795->39781 39796->39769 39797->39785 39798->39743 39799->38709 39800->38717 39801 4426a9 39806 4324d3 39801->39806 39803 4426d2 39820 431a7b 39803->39820 39805 4426e3 39805->39805 39807 4324e3 39806->39807 39808 4324da 39806->39808 39814 4324e8 39807->39814 39888 43240a 12 API calls 39807->39888 39810 415a91 memset 39808->39810 39810->39807 39811 4324fd 39812 432513 39811->39812 39813 432508 39811->39813 39890 43034a memcpy 39812->39890 39889 4325ad memset 39813->39889 39814->39803 39816 43250e 39816->39803 39818 432548 39891 43034a memcpy 39818->39891 39821 431aa3 39820->39821 39842 431b2e 39820->39842 39821->39842 39892 43817e 39821->39892 39824 432116 39926 4325ad memset 39824->39926 39827 432122 39827->39805 39829 431ad5 39831 431b04 39829->39831 39829->39842 39897 42faf4 12 API calls 39829->39897 39830 431b15 39832 431baa 39830->39832 39833 431b7c memcmp 39830->39833 39830->39842 39898 42ff8c 39831->39898 39836 431bb0 39832->39836 39837 431bcb 39832->39837 39833->39832 39852 431b95 39833->39852 39907 4169a7 11 API calls 39836->39907 39839 431bd1 39837->39839 39840 431c45 39837->39840 39908 43034a memcpy 39839->39908 39910 4165ff 39840->39910 39925 42c02e memset 39842->39925 39844 431bdc 39844->39842 39909 430468 11 API calls 39844->39909 39847 431c65 39847->39842 39853 431cba 39847->39853 39913 42bf4c 14 API calls 39847->39913 39848 431bef 39848->39842 39848->39847 39848->39852 39850 415a91 memset 39854 431d17 39850->39854 39851 431ca1 39851->39842 39914 42bfcf memcpy 39851->39914 39852->39842 39906 4169a7 11 API calls 39852->39906 39853->39850 39854->39842 39855 431d27 memcpy 39854->39855 39858 431e97 39855->39858 39864 431da8 39855->39864 39857 431eb8 39916 4169a7 11 API calls 39857->39916 39859 431f3c 39858->39859 39872 431f6a 39858->39872 39861 431fc3 39859->39861 39862 431f45 39859->39862 39919 4397fd memset 39861->39919 39917 4172c8 memset 39862->39917 39864->39842 39864->39857 39864->39858 39867 431e12 memcpy 39864->39867 39915 430af5 16 API calls 39864->39915 39866 431fd4 39866->39842 39920 4328e4 12 API calls 39866->39920 39867->39864 39870 431feb 39921 4233ae 11 API calls 39870->39921 39872->39842 39918 4169a7 11 API calls 39872->39918 39873 431ffc 39874 43202e 39873->39874 39877 4165ff 11 API calls 39873->39877 39922 42fe8b 22 API calls 39874->39922 39877->39874 39878 432057 39878->39842 39923 431917 23 API calls 39878->39923 39880 432079 39924 430b5d 11 API calls 39880->39924 39888->39811 39889->39816 39890->39818 39891->39816 39893 438187 39892->39893 39895 431ab6 39892->39895 39927 4380f6 39893->39927 39895->39830 39895->39842 39896 43041c 12 API calls 39895->39896 39896->39829 39897->39831 39899 43817e 139 API calls 39898->39899 39900 42ff99 39899->39900 39901 42ffe3 39900->39901 39902 42ffd0 39900->39902 39905 42ff9d 39900->39905 40155 4169a7 11 API calls 39901->40155 40154 4169a7 11 API calls 39902->40154 39905->39830 39906->39842 39907->39842 39908->39844 39909->39848 39911 4165a0 11 API calls 39910->39911 39912 41660d 39911->39912 39912->39847 39913->39851 39914->39853 39915->39864 39916->39842 39917->39842 39918->39842 39919->39866 39920->39870 39921->39873 39922->39878 39923->39880 39925->39824 39926->39827 39929 43811f 39927->39929 39928 438164 39928->39895 39929->39928 39932 437e5e 39929->39932 39955 4300e8 memset memset memcpy 39929->39955 39956 437d3c 39932->39956 39934 437eb3 39934->39929 39935 437ea9 39935->39934 39941 437f22 39935->39941 39971 41f432 39935->39971 39938 437f06 40018 415c56 11 API calls 39938->40018 39940 437f95 40019 415c56 11 API calls 39940->40019 39942 437f7f 39941->39942 39943 432d4e 3 API calls 39941->39943 39942->39940 39944 43802b 39942->39944 39943->39942 39946 4165ff 11 API calls 39944->39946 39947 438054 39946->39947 39982 437371 39947->39982 39950 43806b 39951 438094 39950->39951 40020 42f50e 138 API calls 39950->40020 39952 437fa3 39951->39952 40021 4300e8 memset memset memcpy 39951->40021 39952->39934 40022 41f638 104 API calls 39952->40022 39955->39929 39957 437d69 39956->39957 39960 437d80 39956->39960 40023 437ccb 11 API calls 39957->40023 39959 437d76 39959->39935 39960->39959 39961 437da3 39960->39961 39962 437d90 39960->39962 39964 438460 134 API calls 39961->39964 39962->39959 40027 437ccb 11 API calls 39962->40027 39966 437dcb 39964->39966 39970 437de8 39966->39970 40024 444283 13 API calls 39966->40024 39968 437dfc 40025 437ccb 11 API calls 39968->40025 40026 424f26 123 API calls 39970->40026 39972 41f54d 39971->39972 39975 41f44f 39971->39975 39973 41f466 39972->39973 40057 41c635 memset memset 39972->40057 39973->39938 39973->39941 39975->39973 39980 41f50b 39975->39980 40028 41f1a5 39975->40028 40053 41c06f memcmp 39975->40053 40054 41f3b1 90 API calls 39975->40054 40055 41f398 86 API calls 39975->40055 39980->39972 39980->39973 40056 41c295 86 API calls 39980->40056 39983 41703f 11 API calls 39982->39983 39984 437399 39983->39984 39985 43739d 39984->39985 39986 4373ac 39984->39986 40144 4446ea 11 API calls 39985->40144 39988 416935 16 API calls 39986->39988 40011 4373ca 39988->40011 39989 437584 39991 4375bc 39989->39991 40151 42453e 123 API calls 39989->40151 39990 438460 134 API calls 39990->40011 39993 415c7d 16 API calls 39991->39993 39994 4375d2 39993->39994 39996 4442e6 11 API calls 39994->39996 39998 4373a7 39994->39998 39995 4251c4 137 API calls 39995->40011 39997 4375e2 39996->39997 39997->39998 40152 444283 13 API calls 39997->40152 39998->39950 40000 415a91 memset 40000->40011 40003 43758f 40150 42453e 123 API calls 40003->40150 40006 4375f4 40009 437620 40006->40009 40010 43760b 40006->40010 40008 43759f 40012 416935 16 API calls 40008->40012 40014 416935 16 API calls 40009->40014 40153 444283 13 API calls 40010->40153 40011->39989 40011->39990 40011->39995 40011->40000 40011->40003 40017 437d3c 135 API calls 40011->40017 40145 425433 13 API calls 40011->40145 40146 425413 17 API calls 40011->40146 40147 42533e 16 API calls 40011->40147 40148 42538f 16 API calls 40011->40148 40149 42453e 123 API calls 40011->40149 40012->39989 40014->39998 40016 437612 memcpy 40016->39998 40017->40011 40018->39934 40019->39952 40020->39951 40021->39952 40022->39934 40023->39959 40024->39968 40025->39970 40026->39959 40027->39959 40058 41bc3b 40028->40058 40031 41edad 86 API calls 40032 41f1cb 40031->40032 40033 41f1f5 memcmp 40032->40033 40034 41f20e 40032->40034 40038 41f282 40032->40038 40033->40034 40035 41f21b memcmp 40034->40035 40034->40038 40036 41f326 40035->40036 40039 41f23d 40035->40039 40037 41ee6b 86 API calls 40036->40037 40036->40038 40037->40038 40038->39975 40039->40036 40040 41f28e memcmp 40039->40040 40082 41c8df 56 API calls 40039->40082 40040->40036 40041 41f2a9 40040->40041 40041->40036 40044 41f308 40041->40044 40045 41f2d8 40041->40045 40043 41f269 40043->40036 40046 41f287 40043->40046 40047 41f27a 40043->40047 40044->40036 40084 4446ce 11 API calls 40044->40084 40048 41ee6b 86 API calls 40045->40048 40046->40040 40049 41ee6b 86 API calls 40047->40049 40050 41f2e0 40048->40050 40049->40038 40083 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 40050->40083 40053->39975 40054->39975 40055->39975 40056->39972 40057->39973 40059 41be0b 40058->40059 40061 41bc54 40058->40061 40062 41bd61 40059->40062 40093 41ae17 34 API calls 40059->40093 40061->40059 40061->40062 40073 41bc8d 40061->40073 40085 41baf0 55 API calls 40061->40085 40064 41be45 40062->40064 40094 41a25f memset 40062->40094 40064->40031 40064->40038 40066 41be04 40092 41aee4 56 API calls 40066->40092 40068 41bd42 40068->40062 40068->40066 40069 41bdd8 memset 40068->40069 40070 41bdba 40068->40070 40071 41bde7 memcmp 40069->40071 40081 4175ed 6 API calls 40070->40081 40071->40066 40074 41bdfd 40071->40074 40072 41bd18 40072->40062 40072->40068 40090 41a9da 86 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 40072->40090 40073->40062 40073->40068 40073->40072 40086 4151e3 40073->40086 40091 41a1b0 memset 40074->40091 40077 41bdcc 40077->40062 40077->40071 40081->40077 40082->40043 40083->40038 40084->40036 40085->40073 40095 41837f 40086->40095 40089 444706 11 API calls 40089->40072 40090->40068 40091->40066 40092->40059 40093->40062 40094->40064 40096 4183c1 40095->40096 40097 4183ca 40095->40097 40142 418197 25 API calls 40096->40142 40100 4151f9 40097->40100 40116 418160 40097->40116 40100->40072 40100->40089 40101 4183e5 40101->40100 40125 41739b 40101->40125 40104 418444 CreateFileW 40106 418477 40104->40106 40105 41845f CreateFileA 40105->40106 40107 4184c2 memset 40106->40107 40108 41847e GetLastError free 40106->40108 40128 418758 40107->40128 40109 4184b5 40108->40109 40110 418497 40108->40110 40143 444706 11 API calls 40109->40143 40112 41837f 49 API calls 40110->40112 40112->40100 40117 41739b GetVersionExW 40116->40117 40118 418165 40117->40118 40120 4173e4 MultiByteToWideChar malloc MultiByteToWideChar free 40118->40120 40121 418178 40120->40121 40122 41817f 40121->40122 40123 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte free 40121->40123 40122->40101 40124 418188 free 40123->40124 40124->40101 40126 4173d6 40125->40126 40127 4173ad GetVersionExW 40125->40127 40126->40104 40126->40105 40127->40126 40129 418680 43 API calls 40128->40129 40130 418782 40129->40130 40131 418160 11 API calls 40130->40131 40133 418506 free 40130->40133 40132 418799 40131->40132 40132->40133 40134 41739b GetVersionExW 40132->40134 40133->40100 40135 4187a7 40134->40135 40136 4187da 40135->40136 40137 4187ad GetDiskFreeSpaceW 40135->40137 40138 4187ec GetDiskFreeSpaceA 40136->40138 40141 4187e8 40136->40141 40140 418800 free 40137->40140 40138->40140 40140->40133 40141->40138 40142->40097 40143->40100 40144->39998 40145->40011 40146->40011 40147->40011 40148->40011 40149->40011 40150->40008 40151->39991 40152->40006 40153->40016 40154->39905 40155->39905 40156 4147f3 40159 414561 40156->40159 40158 414813 40160 41456d 40159->40160 40161 41457f GetPrivateProfileIntW 40159->40161 40164 4143f1 memset _itow WritePrivateProfileStringW 40160->40164 40161->40158 40163 41457a 40163->40158 40164->40163 40165 44def7 40166 44df07 40165->40166 40167 44df00 ??3@YAXPAX 40165->40167 40168 44df17 40166->40168 40169 44df10 ??3@YAXPAX 40166->40169 40167->40166 40170 44df27 40168->40170 40171 44df20 ??3@YAXPAX 40168->40171 40169->40168 40172 44df37 40170->40172 40173 44df30 ??3@YAXPAX 40170->40173 40171->40170 40173->40172 40174 4148b6 FindResourceW 40175 4148f9 40174->40175 40176 4148cf SizeofResource 40174->40176 40176->40175 40177 4148e0 LoadResource 40176->40177 40177->40175 40178 4148ee LockResource 40177->40178 40178->40175 40179 441b3f 40189 43a9f6 40179->40189 40181 441b61 40362 4386af memset 40181->40362 40183 44189a 40184 442bd4 40183->40184 40185 4418e2 40183->40185 40186 4418ea 40184->40186 40364 441409 memset 40184->40364 40185->40186 40363 4414a9 12 API calls 40185->40363 40190 43aa20 40189->40190 40191 43aadf 40189->40191 40190->40191 40192 43aa34 memset 40190->40192 40191->40181 40193 43aa56 40192->40193 40194 43aa4d 40192->40194 40365 43a6e7 40193->40365 40373 42c02e memset 40194->40373 40199 43aad3 40375 4169a7 11 API calls 40199->40375 40200 43aaae 40200->40191 40200->40199 40215 43aae5 40200->40215 40202 43ac18 40204 43ac47 40202->40204 40377 42bbd5 memcpy memcpy memcpy memset memcpy 40202->40377 40205 43aca8 40204->40205 40378 438eed 16 API calls 40204->40378 40209 43acd5 40205->40209 40380 4233ae 11 API calls 40205->40380 40208 43ac87 40379 4233c5 16 API calls 40208->40379 40381 423426 11 API calls 40209->40381 40213 43ace1 40382 439811 163 API calls 40213->40382 40214 43a9f6 161 API calls 40214->40215 40215->40191 40215->40202 40215->40214 40376 439bbb 22 API calls 40215->40376 40217 43acfd 40223 43ad2c 40217->40223 40383 438eed 16 API calls 40217->40383 40219 43ad19 40384 4233c5 16 API calls 40219->40384 40220 43ad58 40385 44081d 163 API calls 40220->40385 40223->40220 40225 43add9 40223->40225 40225->40225 40389 423426 11 API calls 40225->40389 40226 43ae3a memset 40227 43ae73 40226->40227 40390 42e1c0 147 API calls 40227->40390 40228 43adab 40387 438c4e 163 API calls 40228->40387 40230 43ad6c 40230->40191 40230->40228 40386 42370b memset memcpy memset 40230->40386 40232 43ae96 40391 42e1c0 147 API calls 40232->40391 40234 43adcc 40388 440f84 12 API calls 40234->40388 40237 43aea8 40238 43aec1 40237->40238 40392 42e199 147 API calls 40237->40392 40240 43af00 40238->40240 40393 42e1c0 147 API calls 40238->40393 40240->40191 40243 43af1a 40240->40243 40244 43b3d9 40240->40244 40394 438eed 16 API calls 40243->40394 40249 43b3f6 40244->40249 40256 43b4c8 40244->40256 40246 43b60f 40246->40191 40453 4393a5 17 API calls 40246->40453 40247 43af2f 40395 4233c5 16 API calls 40247->40395 40435 432878 12 API calls 40249->40435 40251 43af51 40396 423426 11 API calls 40251->40396 40254 43af7d 40397 423426 11 API calls 40254->40397 40255 43b4f2 40442 43a76c 21 API calls 40255->40442 40256->40255 40441 42bbd5 memcpy memcpy memcpy memset memcpy 40256->40441 40260 43b529 40443 44081d 163 API calls 40260->40443 40261 43af94 40398 423330 11 API calls 40261->40398 40265 43b47e 40269 43b497 40265->40269 40438 42374a memcpy memset memcpy memcpy memcpy 40265->40438 40266 43b544 40270 43b55c 40266->40270 40444 42c02e memset 40266->40444 40267 43b428 40288 43b462 40267->40288 40436 432b60 16 API calls 40267->40436 40268 43afca 40399 423330 11 API calls 40268->40399 40439 4233ae 11 API calls 40269->40439 40445 43a87a 163 API calls 40270->40445 40275 43afdb 40400 4233ae 11 API calls 40275->40400 40277 43b4b1 40440 423399 11 API calls 40277->40440 40279 43b56c 40289 43b58a 40279->40289 40446 423330 11 API calls 40279->40446 40281 43afee 40401 44081d 163 API calls 40281->40401 40283 43b4c1 40449 42db80 163 API calls 40283->40449 40287 43b592 40448 43a82f 16 API calls 40287->40448 40437 423330 11 API calls 40288->40437 40447 440f84 12 API calls 40289->40447 40292 43b5b4 40450 438c4e 163 API calls 40292->40450 40294 43b5cf 40451 42c02e memset 40294->40451 40296 43b005 40296->40191 40299 43b01f 40296->40299 40402 42d836 163 API calls 40296->40402 40297 43b1ef 40412 4233c5 16 API calls 40297->40412 40299->40297 40410 423330 11 API calls 40299->40410 40411 42d71d 163 API calls 40299->40411 40300 43b212 40413 423330 11 API calls 40300->40413 40303 43add4 40303->40246 40452 438f86 16 API calls 40303->40452 40306 43b087 40403 4233ae 11 API calls 40306->40403 40307 43b22a 40414 42ccb5 11 API calls 40307->40414 40310 43b10f 40406 423330 11 API calls 40310->40406 40311 43b23f 40415 4233ae 11 API calls 40311->40415 40313 43b257 40416 4233ae 11 API calls 40313->40416 40317 43b26e 40417 4233ae 11 API calls 40317->40417 40318 43b129 40407 4233ae 11 API calls 40318->40407 40321 43b09a 40321->40310 40404 42cc15 19 API calls 40321->40404 40405 4233ae 11 API calls 40321->40405 40322 43b282 40418 43a87a 163 API calls 40322->40418 40324 43b13c 40408 440f84 12 API calls 40324->40408 40326 43b29d 40419 423330 11 API calls 40326->40419 40329 43b15f 40409 4233ae 11 API calls 40329->40409 40330 43b2af 40332 43b2b8 40330->40332 40333 43b2ce 40330->40333 40420 4233ae 11 API calls 40332->40420 40421 440f84 12 API calls 40333->40421 40336 43b2c9 40423 4233ae 11 API calls 40336->40423 40337 43b2da 40422 42370b memset memcpy memset 40337->40422 40340 43b2f9 40424 423330 11 API calls 40340->40424 40342 43b30b 40425 423330 11 API calls 40342->40425 40344 43b325 40426 423399 11 API calls 40344->40426 40346 43b332 40427 4233ae 11 API calls 40346->40427 40348 43b354 40428 423399 11 API calls 40348->40428 40350 43b364 40429 43a82f 16 API calls 40350->40429 40352 43b370 40430 42db80 163 API calls 40352->40430 40354 43b380 40431 438c4e 163 API calls 40354->40431 40356 43b39e 40432 423399 11 API calls 40356->40432 40358 43b3ae 40433 43a76c 21 API calls 40358->40433 40360 43b3c3 40434 423399 11 API calls 40360->40434 40362->40183 40363->40186 40364->40184 40366 43a6f5 40365->40366 40367 43a765 40365->40367 40366->40367 40454 42a115 40366->40454 40367->40191 40374 4397fd memset 40367->40374 40371 43a73d 40371->40367 40372 42a115 147 API calls 40371->40372 40372->40367 40373->40193 40374->40200 40375->40191 40376->40215 40377->40204 40378->40208 40379->40205 40380->40209 40381->40213 40382->40217 40383->40219 40384->40223 40385->40230 40386->40228 40387->40234 40388->40303 40389->40226 40390->40232 40391->40237 40392->40238 40393->40238 40394->40247 40395->40251 40396->40254 40397->40261 40398->40268 40399->40275 40400->40281 40401->40296 40402->40306 40403->40321 40404->40321 40405->40321 40406->40318 40407->40324 40408->40329 40409->40299 40410->40299 40411->40299 40412->40300 40413->40307 40414->40311 40415->40313 40416->40317 40417->40322 40418->40326 40419->40330 40420->40336 40421->40337 40422->40336 40423->40340 40424->40342 40425->40344 40426->40346 40427->40348 40428->40350 40429->40352 40430->40354 40431->40356 40432->40358 40433->40360 40434->40303 40435->40267 40436->40288 40437->40265 40438->40269 40439->40277 40440->40283 40441->40255 40442->40260 40443->40266 40444->40270 40445->40279 40446->40289 40447->40287 40448->40283 40449->40292 40450->40294 40451->40303 40452->40246 40453->40191 40455 42a175 40454->40455 40457 42a122 40454->40457 40455->40367 40460 42b13b 147 API calls 40455->40460 40457->40455 40458 42a115 147 API calls 40457->40458 40461 43a174 40457->40461 40485 42a0a8 147 API calls 40457->40485 40458->40457 40460->40371 40475 43a196 40461->40475 40476 43a19e 40461->40476 40462 43a306 40462->40475 40486 4388c4 14 API calls 40462->40486 40464 42ff8c 139 API calls 40464->40476 40465 42a115 147 API calls 40465->40476 40466 415a91 memset 40466->40476 40467 43a642 40467->40475 40500 4169a7 11 API calls 40467->40500 40469 4165ff 11 API calls 40469->40476 40471 43a635 40499 42c02e memset 40471->40499 40475->40457 40476->40462 40476->40464 40476->40465 40476->40466 40476->40469 40476->40475 40494 439504 13 API calls 40476->40494 40495 4312d0 147 API calls 40476->40495 40496 42be4c memcpy memcpy memcpy memset memcpy 40476->40496 40497 43a121 11 API calls 40476->40497 40478 4169a7 11 API calls 40479 43a325 40478->40479 40479->40467 40479->40471 40479->40475 40479->40478 40480 42b5b5 memset memcpy 40479->40480 40481 42bf4c 14 API calls 40479->40481 40484 4165ff 11 API calls 40479->40484 40487 42b63e 40479->40487 40498 42bfcf memcpy 40479->40498 40480->40479 40481->40479 40484->40479 40485->40457 40486->40479 40501 42b4ec 40487->40501 40489 42b64c 40507 42b5e4 memset 40489->40507 40491 42b65e 40492 42b66d 40491->40492 40508 42b3c6 11 API calls 40491->40508 40492->40479 40494->40476 40495->40476 40496->40476 40497->40476 40498->40479 40499->40467 40500->40475 40502 42b4ff 40501->40502 40503 415a91 memset 40502->40503 40504 42b52c 40503->40504 40505 42b553 memcpy 40504->40505 40506 42b545 40504->40506 40505->40506 40506->40489 40507->40491 40508->40492 40509 441819 40512 430737 40509->40512 40511 441825 40513 430756 40512->40513 40525 43076d 40512->40525 40514 430774 40513->40514 40515 43075f 40513->40515 40527 43034a memcpy 40514->40527 40526 4169a7 11 API calls 40515->40526 40518 4307ce 40520 430819 memset 40518->40520 40528 415b2c 11 API calls 40518->40528 40519 43077e 40519->40518 40523 4307fa 40519->40523 40519->40525 40520->40525 40522 4307e9 40522->40520 40522->40525 40529 4169a7 11 API calls 40523->40529 40525->40511 40526->40525 40527->40519 40528->40522 40529->40525 40530 41493c EnumResourceNamesW

                                                                                                    Executed Functions

                                                                                                    Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040DDAD
                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                      • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                    • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                    • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                    • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                    • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                    • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                    • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                    • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                    • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                    • memset.MSVCRT ref: 0040DF5F
                                                                                                    • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                    • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                    • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                    • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                    • API String ID: 708747863-3398334509
                                                                                                    • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                    • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                    • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                    • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                    Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 643->645 646 413ebf-413ec6 free 643->646 648 413edb-413ee2 645->648 646->648 655 413ee4 648->655 656 413ee7-413efe 648->656 662 413ea2-413eae CloseHandle 650->662 653 413e61-413e68 651->653 654 413e37-413e44 GetModuleHandleW 651->654 653->650 659 413e6a-413e76 653->659 654->653 658 413e46-413e5c GetProcAddress 654->658 655->656 656->638 658->653 659->650 662->641
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                    • memset.MSVCRT ref: 00413D7F
                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                    • memset.MSVCRT ref: 00413E07
                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                    • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                    • free.MSVCRT ref: 00413EC1
                                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                    • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                    • API String ID: 1344430650-1740548384
                                                                                                    • Opcode ID: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                    • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                    • Opcode Fuzzy Hash: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                    • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                    Function 0040B58D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 754 40b58d-40b59e 755 40b5a4-40b5c0 GetModuleHandleW FindResourceW 754->755 756 40b62e-40b632 754->756 757 40b5c2-40b5ce LoadResource 755->757 758 40b5e7 755->758 757->758 759 40b5d0-40b5e5 SizeofResource LockResource 757->759 760 40b5e9-40b5eb 758->760 759->760 760->756 761 40b5ed-40b5ef 760->761 761->756 762 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 761->762 762->756
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                                                                                    • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                    • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                    • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                    • String ID: AE$BIN
                                                                                                    • API String ID: 1668488027-3931574542
                                                                                                    • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                    • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                    • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                    • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                    Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                      • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                      • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                    • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                    • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                    • free.MSVCRT ref: 00418803
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 1355100292-0
                                                                                                    • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                    • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                    • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                    • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                    Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                    • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 767404330-0
                                                                                                    • Opcode ID: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                                                                                    • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                    • Opcode Fuzzy Hash: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                                                                                    • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                    Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                    • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFind$FirstNext
                                                                                                    • String ID:
                                                                                                    • API String ID: 1690352074-0
                                                                                                    • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                    • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                    • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                    • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                    Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0041898C
                                                                                                    • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoSystemmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 3558857096-0
                                                                                                    • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                    • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                    • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                    • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                    Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 41 445823-445826 14->41 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 50 445879-44587c 18->50 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 77 445685 21->77 78 4456b2-4456b5 call 40b1ab 21->78 32 445605-445607 22->32 33 445603 22->33 30 4459f2-4459fa 23->30 31 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->31 140 44592d-445945 call 40b6ef 24->140 141 44594a 24->141 43 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 30->43 44 445b29-445b32 30->44 145 4459d0-4459e8 call 40b6ef 31->145 146 4459ed 31->146 32->21 37 445609-44560d 32->37 33->32 37->21 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 37->48 38->3 39->38 51 44584c-445854 call 40b1ab 41->51 52 445828 41->52 182 445b08-445b15 call 40ae51 43->182 53 445c7c-445c85 44->53 54 445b38-445b96 memset * 3 44->54 156 445665-445670 call 40b1ab 48->156 157 445643-445663 call 40a9b5 call 4087b3 48->157 64 4458a2-4458aa call 40b1ab 50->64 65 44587e 50->65 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 82 445fae-445fb2 60->82 83 445d2b-445d3b 60->83 160 445cf5 61->160 161 445cfc-445d03 61->161 64->19 75 445884-44589d call 40a9b5 call 4087b3 65->75 143 445849 66->143 249 445c77 67->249 68->67 76 445ba2-445bcf call 4099c6 call 445403 call 445389 68->76 148 44589f 75->148 76->53 93 44568b-4456a4 call 40a9b5 call 4087b3 77->93 110 4456ba-4456c4 78->110 98 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 83->98 99 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 83->99 150 4456a9-4456b0 93->150 166 445d67-445d6c 98->166 167 445d71-445d83 call 445093 98->167 193 445e17 99->193 194 445e1e-445e25 99->194 123 4457f9 110->123 124 4456ca-4456d3 call 413cfa call 413d4c 110->124 123->6 174 4456d8-4456f7 call 40b2cc call 413fa6 124->174 140->141 141->23 143->51 145->146 146->30 148->64 150->78 150->93 156->110 157->156 160->161 171 445d05-445d13 161->171 172 445d17 161->172 176 445fa1-445fa9 call 40b6ef 166->176 167->82 171->172 172->60 207 4456fd-445796 memset * 4 call 409c70 * 3 174->207 208 4457ea-4457f7 call 413d29 174->208 176->82 202 445b17-445b27 call 40aebe 182->202 203 445aa3-445ab0 call 40add4 182->203 193->194 198 445e27-445e59 call 40b2cc call 409d1f call 409b98 194->198 199 445e6b-445e7e call 445093 194->199 239 445e62-445e69 198->239 240 445e5b 198->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 199->220 202->44 203->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 203->221 207->208 248 445798-4457ca call 40b2cc call 409d1f call 409b98 207->248 208->10 220->82 254 445f9b 220->254 221->182 239->199 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 265 445f4d-445f5a call 40ae51 245->265 248->208 264 4457cc-4457e5 call 4087b3 248->264 249->53 254->176 264->208 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004455C2
                                                                                                    • wcsrchr.MSVCRT ref: 004455DA
                                                                                                    • memset.MSVCRT ref: 0044570D
                                                                                                    • memset.MSVCRT ref: 00445725
                                                                                                      • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                      • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                      • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                      • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                      • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                      • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                      • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                      • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                    • memset.MSVCRT ref: 0044573D
                                                                                                    • memset.MSVCRT ref: 00445755
                                                                                                    • memset.MSVCRT ref: 004458CB
                                                                                                    • memset.MSVCRT ref: 004458E3
                                                                                                    • memset.MSVCRT ref: 0044596E
                                                                                                    • memset.MSVCRT ref: 00445A10
                                                                                                    • memset.MSVCRT ref: 00445A28
                                                                                                    • memset.MSVCRT ref: 00445AC6
                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                      • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                      • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                      • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                      • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                      • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                    • memset.MSVCRT ref: 00445B52
                                                                                                    • memset.MSVCRT ref: 00445B6A
                                                                                                    • memset.MSVCRT ref: 00445C9B
                                                                                                    • memset.MSVCRT ref: 00445CB3
                                                                                                    • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                    • memset.MSVCRT ref: 00445B82
                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                    • memset.MSVCRT ref: 00445986
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                    • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                    • API String ID: 1963886904-3798722523
                                                                                                    • Opcode ID: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                    • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                    • Opcode Fuzzy Hash: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                    • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                    Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                      • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                      • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                      • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                    • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                                                                                    • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                    • String ID: $/deleteregkey$/savelangfile
                                                                                                    • API String ID: 2744995895-28296030
                                                                                                    • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                    • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                    • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                    • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                    Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040B71C
                                                                                                      • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                      • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                    • wcsrchr.MSVCRT ref: 0040B738
                                                                                                    • memset.MSVCRT ref: 0040B756
                                                                                                    • memset.MSVCRT ref: 0040B7F5
                                                                                                    • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                    • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                    • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                    • memset.MSVCRT ref: 0040B851
                                                                                                    • memset.MSVCRT ref: 0040B8CA
                                                                                                    • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                      • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                    • memset.MSVCRT ref: 0040BB53
                                                                                                    • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                    • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                                                                    • String ID: chp$v10
                                                                                                    • API String ID: 1297422669-2783969131
                                                                                                    • Opcode ID: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                                                                                    • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                    • Opcode Fuzzy Hash: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                                                                                    • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                    Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 512 40e304-40e316 call 406e8f 510->512 516 40e476-40e483 call 406b53 512->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->512 524->509 530 40e497-40e49f free 524->530 530->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 549 40e3b0 542->549 550 40e3b3-40e3c1 wcschr 542->550 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 551 40e3fb-40e40c memcpy 548->551 552 40e40f-40e414 548->552 549->550 550->541 553 40e3c3-40e3c6 550->553 551->552 554 40e416-40e427 memcpy 552->554 555 40e42a-40e42f 552->555 553->541 554->555 556 40e431-40e442 memcpy 555->556 557 40e445-40e44a 555->557 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                    • free.MSVCRT ref: 0040E49A
                                                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                    • memset.MSVCRT ref: 0040E380
                                                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                    • wcschr.MSVCRT ref: 0040E3B8
                                                                                                    • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                    • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E407
                                                                                                    • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E422
                                                                                                    • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E43D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                    • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                    • API String ID: 3849927982-2252543386
                                                                                                    • Opcode ID: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                    • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                    • Opcode Fuzzy Hash: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                    • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                    Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 602 4094f7-4094fa call 424f26 598->602 600->567 602->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 617 4093e4-4093fb call 4253af * 2 613->617 615 4092bc 614->615 616 4092be-4092e3 memcpy memcmp 614->616 615->616 618 409333-409345 memcmp 616->618 619 4092e5-4092ec 616->619 617->602 627 409401-409403 617->627 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->602 628 409409-40941b memcmp 627->628 628->602 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->602 633 4094b8-4094ed memcpy * 2 630->633 631->602 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->602
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004091E2
                                                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                    • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                    • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                    • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                    • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                    • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                    • String ID:
                                                                                                    • API String ID: 3715365532-3916222277
                                                                                                    • Opcode ID: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                                                    • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                    • Opcode Fuzzy Hash: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                                                    • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                    Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                      • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                      • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                      • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                      • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                      • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                    • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                    • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                    • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                    • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                    • String ID: bhv
                                                                                                    • API String ID: 4234240956-2689659898
                                                                                                    • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                    • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                    • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                    • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                    Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                    • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                    • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                    • API String ID: 2941347001-70141382
                                                                                                    • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                    • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                    • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                    • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                    Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040C298
                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                    • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                    • wcschr.MSVCRT ref: 0040C324
                                                                                                    • wcschr.MSVCRT ref: 0040C344
                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                    • GetLastError.KERNEL32 ref: 0040C373
                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                    • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                    • String ID: visited:
                                                                                                    • API String ID: 2470578098-1702587658
                                                                                                    • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                    • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                    • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                    • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                    Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 721 40e175-40e1a1 call 40695d call 406b90 726 40e1a7-40e1e5 memset 721->726 727 40e299-40e2a8 call 4069a3 721->727 729 40e1e8-40e1fa call 406e8f 726->729 733 40e270-40e27d call 406b53 729->733 734 40e1fc-40e219 call 40dd50 * 2 729->734 733->729 739 40e283-40e286 733->739 734->733 745 40e21b-40e21d 734->745 742 40e291-40e294 call 40aa04 739->742 743 40e288-40e290 free 739->743 742->727 743->742 745->733 746 40e21f-40e235 call 40742e 745->746 746->733 749 40e237-40e242 call 40aae3 746->749 749->733 752 40e244-40e26b _snwprintf call 40a8d0 749->752 752->733
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                    • memset.MSVCRT ref: 0040E1BD
                                                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                    • free.MSVCRT ref: 0040E28B
                                                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                      • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                      • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                    • _snwprintf.MSVCRT ref: 0040E257
                                                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                    • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                    • API String ID: 2804212203-2982631422
                                                                                                    • Opcode ID: 1336a280070a4f27ef0c8ccd157a42e88156c8d5617ab228165dee6bd52a4842
                                                                                                    • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                    • Opcode Fuzzy Hash: 1336a280070a4f27ef0c8ccd157a42e88156c8d5617ab228165dee6bd52a4842
                                                                                                    • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                    Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                      • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                    • memset.MSVCRT ref: 0040BC75
                                                                                                    • memset.MSVCRT ref: 0040BC8C
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                    • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                    • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                    • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 115830560-3916222277
                                                                                                    • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                    • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                    • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                    • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                    Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 822 41837f-4183bf 823 4183c1-4183cc call 418197 822->823 824 4183dc-4183ec call 418160 822->824 829 4183d2-4183d8 823->829 830 418517-41851d 823->830 831 4183f6-41840b 824->831 832 4183ee-4183f1 824->832 829->824 833 418417-418423 831->833 834 41840d-418415 831->834 832->830 835 418427-418442 call 41739b 833->835 834->835 838 418444-41845d CreateFileW 835->838 839 41845f-418475 CreateFileA 835->839 840 418477-41847c 838->840 839->840 841 4184c2-4184c7 840->841 842 41847e-418495 GetLastError free 840->842 845 4184d5-418501 memset call 418758 841->845 846 4184c9-4184d3 841->846 843 4184b5-4184c0 call 444706 842->843 844 418497-4184b3 call 41837f 842->844 843->830 844->830 852 418506-418515 free 845->852 846->845 852->830
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                    • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                    • GetLastError.KERNEL32 ref: 0041847E
                                                                                                    • free.MSVCRT ref: 0041848B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile$ErrorLastfree
                                                                                                    • String ID: |A
                                                                                                    • API String ID: 77810686-1717621600
                                                                                                    • Opcode ID: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                    • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                    • Opcode Fuzzy Hash: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                    • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                    Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0041249C
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                    • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                    • wcscpy.MSVCRT ref: 004125A0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                    • String ID: r!A
                                                                                                    • API String ID: 2791114272-628097481
                                                                                                    • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                    • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                    • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                    • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                    Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                      • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                      • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                      • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                      • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                      • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                      • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                    • _wcslwr.MSVCRT ref: 0040C817
                                                                                                      • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                      • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                    • wcslen.MSVCRT ref: 0040C82C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                    • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                    • API String ID: 2936932814-4196376884
                                                                                                    • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                    • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                    • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                    • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                    Function 0040A804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040A824
                                                                                                    • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                    • wcscpy.MSVCRT ref: 0040A854
                                                                                                    • wcscat.MSVCRT ref: 0040A86A
                                                                                                    • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                    • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                    • String ID: C:\Windows\system32
                                                                                                    • API String ID: 669240632-2896066436
                                                                                                    • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                    • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                    • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                    • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                    Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                    • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                    • wcslen.MSVCRT ref: 0040BE06
                                                                                                    • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                    • memset.MSVCRT ref: 0040BE91
                                                                                                    • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                    • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                    • wcschr.MSVCRT ref: 0040BF24
                                                                                                    • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                    • String ID:
                                                                                                    • API String ID: 697348961-0
                                                                                                    • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                    • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                    • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                    • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                    Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00403CBF
                                                                                                    • memset.MSVCRT ref: 00403CD4
                                                                                                    • memset.MSVCRT ref: 00403CE9
                                                                                                    • memset.MSVCRT ref: 00403CFE
                                                                                                    • memset.MSVCRT ref: 00403D13
                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                    • memset.MSVCRT ref: 00403DDA
                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                    • String ID: Waterfox$Waterfox\Profiles
                                                                                                    • API String ID: 4039892925-11920434
                                                                                                    • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                    • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                    • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                    • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                    Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00403E50
                                                                                                    • memset.MSVCRT ref: 00403E65
                                                                                                    • memset.MSVCRT ref: 00403E7A
                                                                                                    • memset.MSVCRT ref: 00403E8F
                                                                                                    • memset.MSVCRT ref: 00403EA4
                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                    • memset.MSVCRT ref: 00403F6B
                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                    • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                    • API String ID: 4039892925-2068335096
                                                                                                    • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                    • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                    • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                    • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                    Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00403FE1
                                                                                                    • memset.MSVCRT ref: 00403FF6
                                                                                                    • memset.MSVCRT ref: 0040400B
                                                                                                    • memset.MSVCRT ref: 00404020
                                                                                                    • memset.MSVCRT ref: 00404035
                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                    • memset.MSVCRT ref: 004040FC
                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                    • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                    • API String ID: 4039892925-3369679110
                                                                                                    • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                    • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                    • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                    • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                    Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                    • API String ID: 3510742995-2641926074
                                                                                                    • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                    • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                    • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                    • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                    Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                      • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                      • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                    • memset.MSVCRT ref: 004033B7
                                                                                                    • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                    • wcscmp.MSVCRT ref: 004033FC
                                                                                                    • _wcsicmp.MSVCRT ref: 00403439
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                    • String ID: $0.@
                                                                                                    • API String ID: 2758756878-1896041820
                                                                                                    • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                    • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                    • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                    • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                    Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 2941347001-0
                                                                                                    • Opcode ID: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                                                                                    • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                    • Opcode Fuzzy Hash: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                                                                                    • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                    Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00403C09
                                                                                                    • memset.MSVCRT ref: 00403C1E
                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                      • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                      • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                    • wcscat.MSVCRT ref: 00403C47
                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                    • wcscat.MSVCRT ref: 00403C70
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                    • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                    • API String ID: 1534475566-1174173950
                                                                                                    • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                    • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                    • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                    • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                    Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                    • memset.MSVCRT ref: 00414C87
                                                                                                    • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                    • wcscpy.MSVCRT ref: 00414CFC
                                                                                                      • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                    Strings
                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                    • API String ID: 71295984-2036018995
                                                                                                    • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                    • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                    • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                    • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                    Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcschr.MSVCRT ref: 00414458
                                                                                                    • _snwprintf.MSVCRT ref: 0041447D
                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                    • String ID: "%s"
                                                                                                    • API String ID: 1343145685-3297466227
                                                                                                    • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                    • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                    • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                    • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                    Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                    • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProcProcessTimes
                                                                                                    • String ID: GetProcessTimes$kernel32.dll
                                                                                                    • API String ID: 1714573020-3385500049
                                                                                                    • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                    • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                    • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                    • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                    Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004087D6
                                                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                      • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                    • memset.MSVCRT ref: 00408828
                                                                                                    • memset.MSVCRT ref: 00408840
                                                                                                    • memset.MSVCRT ref: 00408858
                                                                                                    • memset.MSVCRT ref: 00408870
                                                                                                    • memset.MSVCRT ref: 00408888
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 2911713577-0
                                                                                                    • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                    • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                    • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                    • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                    Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                    • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                    • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmp
                                                                                                    • String ID: @ $SQLite format 3
                                                                                                    • API String ID: 1475443563-3708268960
                                                                                                    • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                    • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                    • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                    • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                    Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsicmpqsort
                                                                                                    • String ID: /nosort$/sort
                                                                                                    • API String ID: 1579243037-1578091866
                                                                                                    • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                    • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                    • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                    • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                    Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040E60F
                                                                                                    • memset.MSVCRT ref: 0040E629
                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                    Strings
                                                                                                    • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                    • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                    • API String ID: 2887208581-2114579845
                                                                                                    • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                    • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                    • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                    • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                    Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                    • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                    • String ID:
                                                                                                    • API String ID: 3473537107-0
                                                                                                    • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                    • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                    • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                    • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                    Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(020D0048), ref: 0044DF01
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(020E0050), ref: 0044DF11
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00926DB0), ref: 0044DF21
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(020E0458), ref: 0044DF31
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@
                                                                                                    • String ID:
                                                                                                    • API String ID: 613200358-0
                                                                                                    • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                    • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                    • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                    • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                    Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                    • API String ID: 2221118986-1725073988
                                                                                                    • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                    • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                    • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                    • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                    Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                                                                                    • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@DeleteObject
                                                                                                    • String ID: r!A
                                                                                                    • API String ID: 1103273653-628097481
                                                                                                    • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                    • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                    • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                    • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                    Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@
                                                                                                    • String ID:
                                                                                                    • API String ID: 1033339047-0
                                                                                                    • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                    • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                    • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                    • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                    Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                    • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$memcmp
                                                                                                    • String ID: $$8
                                                                                                    • API String ID: 2808797137-435121686
                                                                                                    • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                    • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                    • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                    • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                    Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                      • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                      • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                      • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                      • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                      • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                      • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                      • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                      • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                    • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                      • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                      • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                      • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                    • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                    • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                      • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                      • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                      • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                    • String ID:
                                                                                                    • API String ID: 1979745280-0
                                                                                                    • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                    • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                    • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                    • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                    Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                    • memset.MSVCRT ref: 00403A55
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                    • String ID: history.dat$places.sqlite
                                                                                                    • API String ID: 2641622041-467022611
                                                                                                    • Opcode ID: 3785298ac20b2a611d3c3277302934fe50b5cf091534855024bd32ed14c81bb0
                                                                                                    • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                    • Opcode Fuzzy Hash: 3785298ac20b2a611d3c3277302934fe50b5cf091534855024bd32ed14c81bb0
                                                                                                    • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                    Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                    • GetLastError.KERNEL32 ref: 00417627
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$File$PointerRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 839530781-0
                                                                                                    • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                    • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                    • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                    • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                    Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFindFirst
                                                                                                    • String ID: *.*$index.dat
                                                                                                    • API String ID: 1974802433-2863569691
                                                                                                    • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                    • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                    • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                    • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                    Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                    • GetLastError.KERNEL32 ref: 004175A2
                                                                                                    • GetLastError.KERNEL32 ref: 004175A8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$FilePointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 1156039329-0
                                                                                                    • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                    • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                    • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                    • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                    Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                    • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                    • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                                    • String ID:
                                                                                                    • API String ID: 3397143404-0
                                                                                                    • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                    • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                    • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                    • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                    Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                    • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 1125800050-0
                                                                                                    • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                    • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                    • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                    • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                    Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                    • CloseHandle.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandleSleep
                                                                                                    • String ID: }A
                                                                                                    • API String ID: 252777609-2138825249
                                                                                                    • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                    • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                    • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                    • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                    Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • malloc.MSVCRT ref: 00409A10
                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                    • free.MSVCRT ref: 00409A31
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: freemallocmemcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 3056473165-0
                                                                                                    • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                    • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                    • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                    • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                    Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                    • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                    • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                    • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                    Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: BINARY
                                                                                                    • API String ID: 2221118986-907554435
                                                                                                    • Opcode ID: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                                                    • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                    • Opcode Fuzzy Hash: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                                                    • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                    Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsicmp
                                                                                                    • String ID: /stext
                                                                                                    • API String ID: 2081463915-3817206916
                                                                                                    • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                    • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                    • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                    • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                    Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                    • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2445788494-0
                                                                                                    • Opcode ID: bdc6ff89a6972445fbf15f1c87a3cbc7fe705fee6098557394266cd6fc52cd88
                                                                                                    • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                    • Opcode Fuzzy Hash: bdc6ff89a6972445fbf15f1c87a3cbc7fe705fee6098557394266cd6fc52cd88
                                                                                                    • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                    Function 004152C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: malloc
                                                                                                    • String ID: failed to allocate %u bytes of memory
                                                                                                    • API String ID: 2803490479-1168259600
                                                                                                    • Opcode ID: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                                                    • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                                                                                    • Opcode Fuzzy Hash: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                                                    • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                                                                                    Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0041BDDF
                                                                                                    • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmpmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 1065087418-0
                                                                                                    • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                    • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                    • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                    • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                    Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                    • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                                                                                    • CloseHandle.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                      • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                      • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                      • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 1381354015-0
                                                                                                    • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                    • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                    • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                    • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                    Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free
                                                                                                    • String ID:
                                                                                                    • API String ID: 1294909896-0
                                                                                                    • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                    • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                    • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                    • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                    Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                      • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                      • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                      • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                    • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2154303073-0
                                                                                                    • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                    • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                    • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                    • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                    Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 3150196962-0
                                                                                                    • Opcode ID: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                                                                                    • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                    • Opcode Fuzzy Hash: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                                                                                    • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                    Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$PointerRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 3154509469-0
                                                                                                    • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                    • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                    • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                    • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                    Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                      • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                      • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                      • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 4232544981-0
                                                                                                    • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                    • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                    • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                    • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                    Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID:
                                                                                                    • API String ID: 3664257935-0
                                                                                                    • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                    • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                    • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                    • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                    Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                    • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$FileModuleName
                                                                                                    • String ID:
                                                                                                    • API String ID: 3859505661-0
                                                                                                    • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                    • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                    • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                    • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                    Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 2738559852-0
                                                                                                    • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                    • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                    • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                    • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                    Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                    • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                    • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                    • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                    Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID:
                                                                                                    • API String ID: 3664257935-0
                                                                                                    • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                    • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                    • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                    • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                    Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                    • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                    • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                    • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                    Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                    • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                    • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                    • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                    Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@
                                                                                                    • String ID:
                                                                                                    • API String ID: 613200358-0
                                                                                                    • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                    • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                    • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                    • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                    Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID:
                                                                                                    • API String ID: 3664257935-0
                                                                                                    • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                    • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                    • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                    • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                    Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnumNamesResource
                                                                                                    • String ID:
                                                                                                    • API String ID: 3334572018-0
                                                                                                    • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                    • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                    • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                    • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                    Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID:
                                                                                                    • API String ID: 3664257935-0
                                                                                                    • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                    • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                    • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                    • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                    Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseFind
                                                                                                    • String ID:
                                                                                                    • API String ID: 1863332320-0
                                                                                                    • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                    • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                    • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                    • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                    Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Open
                                                                                                    • String ID:
                                                                                                    • API String ID: 71445658-0
                                                                                                    • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                    • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                    • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                    • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                    Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188754299-0
                                                                                                    • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                    • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                    • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                    • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                    Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                                    • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                    • Opcode Fuzzy Hash: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                                    • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                    Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004095FC
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                      • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                      • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                      • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 3655998216-0
                                                                                                    • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                    • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                    • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                    • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                    Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00445426
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                    • String ID:
                                                                                                    • API String ID: 1828521557-0
                                                                                                    • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                    • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                    • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                    • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                    Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                      • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                    • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@FilePointermemcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 609303285-0
                                                                                                    • Opcode ID: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                                                                                    • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                    • Opcode Fuzzy Hash: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                                                                                    • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                    Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsicmp
                                                                                                    • String ID:
                                                                                                    • API String ID: 2081463915-0
                                                                                                    • Opcode ID: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                                                    • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                    • Opcode Fuzzy Hash: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                                                    • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                    Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                    • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 2136311172-0
                                                                                                    • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                    • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                    • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                    • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                    Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@??3@
                                                                                                    • String ID:
                                                                                                    • API String ID: 1936579350-0
                                                                                                    • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                    • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                    • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                    • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                    Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free
                                                                                                    • String ID:
                                                                                                    • API String ID: 1294909896-0
                                                                                                    • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                    • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                    • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                    • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                    Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free
                                                                                                    • String ID:
                                                                                                    • API String ID: 1294909896-0
                                                                                                    • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                    • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                    • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                    • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                    Function 00415308 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free
                                                                                                    • String ID:
                                                                                                    • API String ID: 1294909896-0
                                                                                                    • Opcode ID: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                    • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                                                                                    • Opcode Fuzzy Hash: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                    • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D

                                                                                                    Non-executed Functions

                                                                                                    Function 00415CFE Relevance: 18.1, APIs: 4, Strings: 6, Instructions: 592COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __aulldvrm$__aullrem
                                                                                                    • String ID: %$(NULL)$+$-x0$0123456789ABCDEF0123456789abcdef$NULL
                                                                                                    • API String ID: 643879872-1412151055
                                                                                                    • Opcode ID: c6afacad555dbd14974f70931c1b038d1aa016e2d82547434a8122da05a805f9
                                                                                                    • Instruction ID: e0cc6b836fff892d006744b0329856caed0b51470de7c61c9c8f9526dc712ed7
                                                                                                    • Opcode Fuzzy Hash: c6afacad555dbd14974f70931c1b038d1aa016e2d82547434a8122da05a805f9
                                                                                                    • Instruction Fuzzy Hash: AD32C0319087918FD721CF18D5807EBBBE1AF95304F19495FE8C497252D378CA8ACB9A
                                                                                                    Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EmptyClipboard.USER32 ref: 004098EC
                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                    • GetLastError.KERNEL32 ref: 0040995D
                                                                                                    • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                    • GetLastError.KERNEL32 ref: 00409974
                                                                                                    • CloseClipboard.USER32 ref: 0040997D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                    • String ID:
                                                                                                    • API String ID: 3604893535-0
                                                                                                    • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                    • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                    • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                    • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                    Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                    • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                    • API String ID: 2780580303-317687271
                                                                                                    • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                    • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                    • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                    • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                    Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                    • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                    • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                    • String ID:
                                                                                                    • API String ID: 4218492932-0
                                                                                                    • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                    • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                    • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                    • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                    Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EmptyClipboard.USER32 ref: 00409882
                                                                                                    • wcslen.MSVCRT ref: 0040988F
                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                    • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                    • CloseClipboard.USER32 ref: 004098D7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1213725291-0
                                                                                                    • Opcode ID: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                                                    • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                    • Opcode Fuzzy Hash: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                                                    • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                    Function 0044081D Relevance: 11.1, APIs: 2, Strings: 5, Instructions: 605COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: 8$P$P$at most %d tables in a join$cannot use index: %s
                                                                                                    • API String ID: 2221118986-3931078971
                                                                                                    • Opcode ID: 352f39a4052851f5244cadad483d96deb60f19b4e7e15b1b814bb6d9d36274e9
                                                                                                    • Instruction ID: a4a7f51c7708a2cf2cee828f321a28954037f43b08d1d975c1b10d1e328082e6
                                                                                                    • Opcode Fuzzy Hash: 352f39a4052851f5244cadad483d96deb60f19b4e7e15b1b814bb6d9d36274e9
                                                                                                    • Instruction Fuzzy Hash: 27425171D00219DFEF14CF95C881AEEBBB1FF08314F14855AEA15AB251D738A9A1CF98
                                                                                                    Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32 ref: 004182D7
                                                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                    • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                    • free.MSVCRT ref: 00418370
                                                                                                      • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                      • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                    • String ID: OsError 0x%x (%u)
                                                                                                    • API String ID: 2360000266-2664311388
                                                                                                    • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                    • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                    • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                    • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                    Function 0043610D Relevance: 10.0, APIs: 2, Strings: 4, Instructions: 1046COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • %d values for %d columns, xrefs: 004364AA
                                                                                                    • table %S has no column named %s, xrefs: 00436578
                                                                                                    • table %S has %d columns but %d values were supplied, xrefs: 0043648A
                                                                                                    • rows inserted, xrefs: 00436C5F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: %d values for %d columns$rows inserted$table %S has %d columns but %d values were supplied$table %S has no column named %s
                                                                                                    • API String ID: 2221118986-2709362559
                                                                                                    • Opcode ID: 7b94c5d234efde6920706e5b6cacbd729202f4f8f52a230b340b94b4ce83f046
                                                                                                    • Instruction ID: 9c125d797f7739dd18a706fcf9805d15b4108fee604c20040dca07a78b4adc45
                                                                                                    • Opcode Fuzzy Hash: 7b94c5d234efde6920706e5b6cacbd729202f4f8f52a230b340b94b4ce83f046
                                                                                                    • Instruction Fuzzy Hash: 27929071E0021AFFDF10DF95C881BAEBBB1EF08314F15905AE905A7281D739AE51CB99
                                                                                                    Function 0043C560 Relevance: 6.9, APIs: 2, Strings: 2, Instructions: 880COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: no such column: %s$rows updated
                                                                                                    • API String ID: 2221118986-885832449
                                                                                                    • Opcode ID: 090fb934ea269eb1917e993b163fb5e731bf21d5f4976c1895739f87e3f0432c
                                                                                                    • Instruction ID: 7dcecc785416030557bf3e65fdb184edeeac1647f375ce5d724b37e86bd915e6
                                                                                                    • Opcode Fuzzy Hash: 090fb934ea269eb1917e993b163fb5e731bf21d5f4976c1895739f87e3f0432c
                                                                                                    • Instruction Fuzzy Hash: AB728871608301AFDB10DF19C881A1BBBE1FF88718F04581EF995A7292D739E951CF96
                                                                                                    Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                    • OpenClipboard.USER32(?), ref: 00411878
                                                                                                    • GetLastError.KERNEL32 ref: 0041188D
                                                                                                    • DeleteFileW.KERNEL32(?), ref: 004118AC
                                                                                                      • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                                                                                      • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                      • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                      • Part of subcall function 004098E2: GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                      • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                      • Part of subcall function 004098E2: GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                      • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                      • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                      • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 2633007058-0
                                                                                                    • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                    • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                                                                                    • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                    • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                                                                                    Function 00406E8F Relevance: 2.9, APIs: 2, Instructions: 415COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                    • memset.MSVCRT ref: 00406F8B
                                                                                                    • free.MSVCRT ref: 00407082
                                                                                                      • Part of subcall function 004069DF: memcpy.MSVCRT(Af@,?,?,00406A37,?,?,00000000,?,?,?,?,00406641,?), ref: 004069FB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$memcpymemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2037443186-0
                                                                                                    • Opcode ID: 194ffa50f1d49c66bd0eaa66e239e42f462a2f09db0f56dd66ad68c16249fa33
                                                                                                    • Instruction ID: 420730b51c6485b03e68e59ad930d3fea23228fdda059c903cb8609e0c2e012e
                                                                                                    • Opcode Fuzzy Hash: 194ffa50f1d49c66bd0eaa66e239e42f462a2f09db0f56dd66ad68c16249fa33
                                                                                                    • Instruction Fuzzy Hash: 54027D71D042299BDF24DF65C8846EEB7B1BF48314F1481BAE849BB381D738AE81CB55
                                                                                                    Function 00407AEB Relevance: 2.7, Strings: 2, Instructions: 233COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: >PD$>PD
                                                                                                    • API String ID: 0-241360673
                                                                                                    • Opcode ID: 636fa6e870849a123d623615516b3e2858f70bd84403162da8d36c2a659e764e
                                                                                                    • Instruction ID: 8e2198200500fa0fc3bc88275214576e19b26caf2554f569e41e4ab64c40c239
                                                                                                    • Opcode Fuzzy Hash: 636fa6e870849a123d623615516b3e2858f70bd84403162da8d36c2a659e764e
                                                                                                    • Instruction Fuzzy Hash: 0B81D630D091E58FDB0A8B7D88901BDFFF4EF9A20075442AED8D2E7346C6744A11CBA1
                                                                                                    Function 004079EE Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: UUUU$g|@
                                                                                                    • API String ID: 0-841461634
                                                                                                    • Opcode ID: f341a98deb1e5e92d7066587e62b77daad1dfda02a02c613fc9f81484624d4c1
                                                                                                    • Instruction ID: 2d8d9101cd04074a5c169b043e39b4a3b006c2ce9d561f0fe2de225ae1ad389f
                                                                                                    • Opcode Fuzzy Hash: f341a98deb1e5e92d7066587e62b77daad1dfda02a02c613fc9f81484624d4c1
                                                                                                    • Instruction Fuzzy Hash: DA214C327745150BF39CE93D8C1376B62D2DBC8254B18CA3EA6A6C32C1EC6CE9138285
                                                                                                    Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 1865533344-0
                                                                                                    • Opcode ID: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                                                                    • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                                    • Opcode Fuzzy Hash: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                                                                    • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                                    Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Version
                                                                                                    • String ID:
                                                                                                    • API String ID: 1889659487-0
                                                                                                    • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                    • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                    • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                    • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                    Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NtdllProc_Window
                                                                                                    • String ID:
                                                                                                    • API String ID: 4255912815-0
                                                                                                    • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                    • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                                    • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                    • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                                    Function 00414957 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: UUUU
                                                                                                    • API String ID: 0-1798160573
                                                                                                    • Opcode ID: 6e1e4e56239aba6d4b5f371f50ca2a6486f6950dba42b8055aa6bd6fb2d86270
                                                                                                    • Instruction ID: 031174199a2b1a8cd9c643e612bfbadf4fe973dd8768dd983b5f488536bda3ff
                                                                                                    • Opcode Fuzzy Hash: 6e1e4e56239aba6d4b5f371f50ca2a6486f6950dba42b8055aa6bd6fb2d86270
                                                                                                    • Instruction Fuzzy Hash: 4451E233F208600BE74CCA6DCC663692A9397C9350B1E827DDA93D73C6DDB8D912D284
                                                                                                    Function 0044D6C0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (D8
                                                                                                    • API String ID: 0-3292100582
                                                                                                    • Opcode ID: afb84a8e293b758f390aa1d9387a194cd56d4447f941d82ef217d3f5840c1f1b
                                                                                                    • Instruction ID: b71c20539f751f79200ae51b58374c03269679265288fab777333ac0774f48a4
                                                                                                    • Opcode Fuzzy Hash: afb84a8e293b758f390aa1d9387a194cd56d4447f941d82ef217d3f5840c1f1b
                                                                                                    • Instruction Fuzzy Hash: 3641441510DBD19EC326CB7D4890496FFE15EB6001748CA8EE4E987B83C158F658D7B2
                                                                                                    Function 00412AA9 Relevance: .6, Instructions: 595COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b84eadeceb15b833d74a6b3ddcf4bdaa302aef256980365e51470e07e4227508
                                                                                                    • Instruction ID: 8e3ad788e2b47047ad7c21b66b362804302468dbbdc0c1ed7242a88a839864d8
                                                                                                    • Opcode Fuzzy Hash: b84eadeceb15b833d74a6b3ddcf4bdaa302aef256980365e51470e07e4227508
                                                                                                    • Instruction Fuzzy Hash: FC42D5B7E403299FCB14CFD5C8C0589F7B2BFD8314B1B95958918BB216D2B4BA468BD0
                                                                                                    Function 0044B870 Relevance: .4, Instructions: 405COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8bfddd58f67f2436f602948d81bfc00a2609cff06b9fa19cda26eb50e58ddabf
                                                                                                    • Instruction ID: 7d9bfc9c0f16f1db2f1641295165e9d5c4cc4fabe66290bd88ea3126be947770
                                                                                                    • Opcode Fuzzy Hash: 8bfddd58f67f2436f602948d81bfc00a2609cff06b9fa19cda26eb50e58ddabf
                                                                                                    • Instruction Fuzzy Hash: 79027D719245F08EE359CF3F8454922BFE2AFCD21134BC2EAD8985F267C2759812CB94
                                                                                                    Function 00446D30 Relevance: .4, Instructions: 395COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ea2784362ab7c2fac8b349cfe16d3b1a50e1b173db14e7fbef4268f2e7a6201e
                                                                                                    • Instruction ID: 8e52665ec80593729d0e137496ce0ecfadfbe33a5de6fc479c009b4a0482c98f
                                                                                                    • Opcode Fuzzy Hash: ea2784362ab7c2fac8b349cfe16d3b1a50e1b173db14e7fbef4268f2e7a6201e
                                                                                                    • Instruction Fuzzy Hash: 2FF1AD75A093448FE355DF2AC89066BF7E2EFC8300F55892CE5C98735AD634E90ACB46
                                                                                                    Function 00446D8B Relevance: .4, Instructions: 369COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9368682a8ca0b2c1eba9e9c5dafaf747a856ed5e465dd40cb381c52ffbca3266
                                                                                                    • Instruction ID: 333d6665b213bbb0b2ffe7480c8a97369f7725c8c3b7ff4245839d8e70af8f4c
                                                                                                    • Opcode Fuzzy Hash: 9368682a8ca0b2c1eba9e9c5dafaf747a856ed5e465dd40cb381c52ffbca3266
                                                                                                    • Instruction Fuzzy Hash: FCF1AE75A093448FE355DF2AC89066BF7E2EFC8300F95892CE5C687356D634E90ACB46
                                                                                                    Function 0044AA80 Relevance: .4, Instructions: 368COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 59b96f3b5a46ad6901b43840c28e1a8717f830646a2449cfd97c8525daecb054
                                                                                                    • Instruction ID: 6d69576c35898859ca8d02efc530e7c6766c76f2b8aabf7fdbce863400c080a7
                                                                                                    • Opcode Fuzzy Hash: 59b96f3b5a46ad6901b43840c28e1a8717f830646a2449cfd97c8525daecb054
                                                                                                    • Instruction Fuzzy Hash: BEF15B325087928FE300CF2ADC9012ABBE3EFC9202F5D866DD6951B697C634F516CB95
                                                                                                    Function 0044B040 Relevance: .4, Instructions: 364COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 872606032cdd08379d71d43e88e90617dc2c1c78644fe60afe31ae32dbf4f59b
                                                                                                    • Instruction ID: 40919babecf7e48beddfee2e0cc32287ff98735fe93911287fdb93ed5d1816d5
                                                                                                    • Opcode Fuzzy Hash: 872606032cdd08379d71d43e88e90617dc2c1c78644fe60afe31ae32dbf4f59b
                                                                                                    • Instruction Fuzzy Hash: AFF17A325087928FE304CF2AE89112AFBE2EFC9201F4D8679D69507793C634F521CB96
                                                                                                    Function 0040755A Relevance: .4, Instructions: 350COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 64d9d5eb1bf088bc77b86d82daa6f27b74e792b3196096c73e0e81993fefd3f0
                                                                                                    • Instruction ID: adc93f76a53c8e047bf109f201bc7ef7b47700f57dd2e643460dcd4bbcc33c52
                                                                                                    • Opcode Fuzzy Hash: 64d9d5eb1bf088bc77b86d82daa6f27b74e792b3196096c73e0e81993fefd3f0
                                                                                                    • Instruction Fuzzy Hash: ADD10277E107118BD754CFAAFD8010A7363BB9E311B5B8261CA146736AD2B4BA13DAC4
                                                                                                    Function 00404C76 Relevance: .3, Instructions: 346COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 34e59dc519e63a3a388629f852dae47993483b64081670961a075e996c77d8fa
                                                                                                    • Instruction ID: 9e132a6a99c217a0d654eab39c971d31e6f6fb31db3c9ae67be1c5f399a16f42
                                                                                                    • Opcode Fuzzy Hash: 34e59dc519e63a3a388629f852dae47993483b64081670961a075e996c77d8fa
                                                                                                    • Instruction Fuzzy Hash: A3A19F77BA0B0907E31849EAACC6394B68397D4315F2E423DCB74C73D2E9FD99168294
                                                                                                    Function 00416D72 Relevance: .2, Instructions: 169COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bc3cff37084f2d0a492ca6bb6b1919cd8870f06ce0428e5eb89ecad11dcb3b00
                                                                                                    • Instruction ID: b5a75dcfa354664a12c4438d09bdc6ab1492452f04355958c3e9fdee34c44c91
                                                                                                    • Opcode Fuzzy Hash: bc3cff37084f2d0a492ca6bb6b1919cd8870f06ce0428e5eb89ecad11dcb3b00
                                                                                                    • Instruction Fuzzy Hash: 8351E1B2A10A159BE75CCF1AC9652A9BFE3DFD1301B19817ED1E7C7280C6749142EB00
                                                                                                    Function 004476F0 Relevance: .2, Instructions: 167COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4d68b984f6741099ce2bde8e18abc1ceb050e4a180a5a8b929aeeeda86c5e3a3
                                                                                                    • Instruction ID: 4c30e17d77d63121b98ae7abe83a1eda91c3bbaf1771cbdb9001038880bae346
                                                                                                    • Opcode Fuzzy Hash: 4d68b984f6741099ce2bde8e18abc1ceb050e4a180a5a8b929aeeeda86c5e3a3
                                                                                                    • Instruction Fuzzy Hash: 55613BB0A097118FD358CF2AC88066BFBE1FBC8315F448A2EE5D9C3295D778A505CB51
                                                                                                    Function 0044B610 Relevance: .2, Instructions: 157COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 32abcd04455321b07f66e99fd0bcc8daf237abc4de33049fd76ff7c9198d1abb
                                                                                                    • Instruction ID: 7b529b0c1894574a094486b107de62a614b2b8bb623f091bad4def53639f0530
                                                                                                    • Opcode Fuzzy Hash: 32abcd04455321b07f66e99fd0bcc8daf237abc4de33049fd76ff7c9198d1abb
                                                                                                    • Instruction Fuzzy Hash: 2C5126B17203054BE308CE28EC503AA7BD3EBC534AF18C63DC541C768AD67EE5164785
                                                                                                    Function 0044BBD8 Relevance: .1, Instructions: 144COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3b3061fac263143bf3d11d038388f116502fba1d2a280c6dd7583d1d6c59509c
                                                                                                    • Instruction ID: 3574e4e96b5cae7c2ce7dcf764c1f42f5149340d1e6b4e9c3817a5d878268b27
                                                                                                    • Opcode Fuzzy Hash: 3b3061fac263143bf3d11d038388f116502fba1d2a280c6dd7583d1d6c59509c
                                                                                                    • Instruction Fuzzy Hash: A25119729245F08EE395CB3F8454812BFE2AFCD21234FC2D6D8D86B567D2719822DB94
                                                                                                    Function 00447310 Relevance: .1, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 916c56741cc8f6ade01a16149e57abe195bb5378381ef9de74a807da475a2b6d
                                                                                                    • Instruction ID: a63f790cb74f6972c31383897434a808543730992f85785b63cb3a81aa66305c
                                                                                                    • Opcode Fuzzy Hash: 916c56741cc8f6ade01a16149e57abe195bb5378381ef9de74a807da475a2b6d
                                                                                                    • Instruction Fuzzy Hash: D751A26170D7905BD7098B3894506AFFFD1ABDA304F498A6DF4CA9B382C5249A08C79A
                                                                                                    Function 0044A490 Relevance: .1, Instructions: 127COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 29029382298886ffb5c972b1d452ec7b0888992857c24374549475b705505bbf
                                                                                                    • Instruction ID: c0f57332b75f98b7b3b9f2f8260941e7774f0d3fac54c31b43d02fa3067fd927
                                                                                                    • Opcode Fuzzy Hash: 29029382298886ffb5c972b1d452ec7b0888992857c24374549475b705505bbf
                                                                                                    • Instruction Fuzzy Hash: E351115510DBD29EC3268B7D4490196FFF16E77101708CA8EE4EA47B83D118F6A8DBB2
                                                                                                    Function 00404BE5 Relevance: .0, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bf2dd090743e2c6723c98dc34c7731ba56a2aa4091d3d4934fb2d269311e6206
                                                                                                    • Instruction ID: 6bf344bc0ac2e9a1038f2722d90c5adff34fed9f267e6e685f57ef4be10f9a8b
                                                                                                    • Opcode Fuzzy Hash: bf2dd090743e2c6723c98dc34c7731ba56a2aa4091d3d4934fb2d269311e6206
                                                                                                    • Instruction Fuzzy Hash: C20171367207058FD308CFADFCC1966B3B2FBD92127084539DA01C3267EA78E921CA54
                                                                                                    Function 00404B74 Relevance: .0, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cf104503c4d1f63e508e528481e2c1d582825b9df7b848c5f582128bf29b2c3b
                                                                                                    • Instruction ID: 1c8cf4990013556009a943ce68bbe5c533817c3d042a03847a5f6a4628de1edc
                                                                                                    • Opcode Fuzzy Hash: cf104503c4d1f63e508e528481e2c1d582825b9df7b848c5f582128bf29b2c3b
                                                                                                    • Instruction Fuzzy Hash: DA01E8326159308FA389DE3AC80144377E3FFCA32532AC1E5C945AB57DD6316847DB90
                                                                                                    Function 00404B03 Relevance: .0, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d4540386dd2ecfa8358b54f970b731510518c9cc2a47fdc7166f1c0352bd1f31
                                                                                                    • Instruction ID: e46ac8c8d649937048925bbc22b10e31c7d260e61c9919193dd0f57e0586c858
                                                                                                    • Opcode Fuzzy Hash: d4540386dd2ecfa8358b54f970b731510518c9cc2a47fdc7166f1c0352bd1f31
                                                                                                    • Instruction Fuzzy Hash: 75011E326019208FA38DCE3AC80545377E3FFCA325326C1E8D845AB579D6316802CBD4
                                                                                                    Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                    • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                    • _wcsicmp.MSVCRT ref: 00402305
                                                                                                    • _wcsicmp.MSVCRT ref: 00402333
                                                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                    • memset.MSVCRT ref: 0040265F
                                                                                                    • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                      • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                    • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                    • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                                                                    • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                    • API String ID: 2929817778-1134094380
                                                                                                    • Opcode ID: 6b2dcad71dd29105a6653737fa8e45fa2e3e7ed8fa5e3c17c72860e5870ea394
                                                                                                    • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                    • Opcode Fuzzy Hash: 6b2dcad71dd29105a6653737fa8e45fa2e3e7ed8fa5e3c17c72860e5870ea394
                                                                                                    • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                    Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                    • String ID: :stringdata$ftp://$http://$https://
                                                                                                    • API String ID: 2787044678-1921111777
                                                                                                    • Opcode ID: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                                                    • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                    • Opcode Fuzzy Hash: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                                                    • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                    Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                    • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                    • GetDC.USER32 ref: 004140E3
                                                                                                    • wcslen.MSVCRT ref: 00414123
                                                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                    • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                    • _snwprintf.MSVCRT ref: 00414244
                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                    • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                    • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                    • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                    • String ID: %s:$EDIT$STATIC
                                                                                                    • API String ID: 2080319088-3046471546
                                                                                                    • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                    • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                    • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                    • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                    Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EndDialog.USER32(?,?), ref: 00413221
                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                    • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                    • memset.MSVCRT ref: 00413292
                                                                                                    • memset.MSVCRT ref: 004132B4
                                                                                                    • memset.MSVCRT ref: 004132CD
                                                                                                    • memset.MSVCRT ref: 004132E1
                                                                                                    • memset.MSVCRT ref: 004132FB
                                                                                                    • memset.MSVCRT ref: 00413310
                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                    • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                    • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                    • memset.MSVCRT ref: 004133C0
                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                    • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                    • wcscpy.MSVCRT ref: 0041341F
                                                                                                    • _snwprintf.MSVCRT ref: 0041348E
                                                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                    • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                    Strings
                                                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                    • {Unknown}, xrefs: 004132A6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                    • API String ID: 4111938811-1819279800
                                                                                                    • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                    • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                    • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                    • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                    Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                    • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                    • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                    • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                    • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                    • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                    • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                    • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                    • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                    • String ID:
                                                                                                    • API String ID: 829165378-0
                                                                                                    • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                    • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                    • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                    • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                    Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00404172
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                    • wcscpy.MSVCRT ref: 004041D6
                                                                                                    • wcscpy.MSVCRT ref: 004041E7
                                                                                                    • memset.MSVCRT ref: 00404200
                                                                                                    • memset.MSVCRT ref: 00404215
                                                                                                    • _snwprintf.MSVCRT ref: 0040422F
                                                                                                    • wcscpy.MSVCRT ref: 00404242
                                                                                                    • memset.MSVCRT ref: 0040426E
                                                                                                    • memset.MSVCRT ref: 004042CD
                                                                                                    • memset.MSVCRT ref: 004042E2
                                                                                                    • _snwprintf.MSVCRT ref: 004042FE
                                                                                                    • wcscpy.MSVCRT ref: 00404311
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                    • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                    • API String ID: 2454223109-1580313836
                                                                                                    • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                    • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                    • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                    • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                    Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                    • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                    • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                    • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                    • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                    • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                    • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                    • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                    • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                    • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                    • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                    • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                      • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                      • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                    • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                    • API String ID: 4054529287-3175352466
                                                                                                    • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                    • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                    • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                    • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                    Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                    • API String ID: 3143752011-1996832678
                                                                                                    • Opcode ID: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                                                    • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                    • Opcode Fuzzy Hash: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                                                    • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                    Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                    • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                    • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                    • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                    • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                    • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                    • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                    • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                    • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                    • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                    • API String ID: 667068680-2887671607
                                                                                                    • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                    • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                    • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                    • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                    Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                    • API String ID: 1607361635-601624466
                                                                                                    • Opcode ID: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                                                    • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                    • Opcode Fuzzy Hash: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                                                    • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                    Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _snwprintf$memset$wcscpy
                                                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                    • API String ID: 2000436516-3842416460
                                                                                                    • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                    • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                    • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                    • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                    Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                      • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                      • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                      • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                      • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                    • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                    • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                    • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                    • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                    • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                    • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                    • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                    • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                    • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 1043902810-0
                                                                                                    • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                    • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                    • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                    • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                    Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                                                                    • _snwprintf.MSVCRT ref: 0044488A
                                                                                                    • wcscpy.MSVCRT ref: 004448B4
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                    • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                    • API String ID: 2899246560-1542517562
                                                                                                    • Opcode ID: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                                                                    • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                    • Opcode Fuzzy Hash: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                                                                    • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                    Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040DBCD
                                                                                                    • memset.MSVCRT ref: 0040DBE9
                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                      • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                                                                      • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                      • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                    • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                    • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                    • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                    • EnumResourceNamesW.KERNEL32(0040DD4B,00000004,0040D957,00000000), ref: 0040DCB1
                                                                                                    • EnumResourceNamesW.KERNEL32(0040DD4B,00000005,0040D957,00000000), ref: 0040DCBB
                                                                                                    • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                    • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                    • API String ID: 3330709923-517860148
                                                                                                    • Opcode ID: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                                                    • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                    • Opcode Fuzzy Hash: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                                                    • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                    Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                      • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                    • memset.MSVCRT ref: 0040806A
                                                                                                    • memset.MSVCRT ref: 0040807F
                                                                                                    • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                                                    • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                    • memset.MSVCRT ref: 004081E4
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                      • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                      • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                    • String ID: logins$null
                                                                                                    • API String ID: 2148543256-2163367763
                                                                                                    • Opcode ID: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                                                    • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                    • Opcode Fuzzy Hash: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                                                    • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                    Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                    • memset.MSVCRT ref: 004085CF
                                                                                                    • memset.MSVCRT ref: 004085F1
                                                                                                    • memset.MSVCRT ref: 00408606
                                                                                                    • strcmp.MSVCRT ref: 00408645
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                    • memset.MSVCRT ref: 0040870E
                                                                                                    • strcmp.MSVCRT ref: 0040876B
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                    • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                    • String ID: ---
                                                                                                    • API String ID: 3437578500-2854292027
                                                                                                    • Opcode ID: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                    • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                    • Opcode Fuzzy Hash: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                    • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                    Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0041087D
                                                                                                    • memset.MSVCRT ref: 00410892
                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                    • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                    • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                    • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                    • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                    • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                    • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                    • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 1010922700-0
                                                                                                    • Opcode ID: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                                                    • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                    • Opcode Fuzzy Hash: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                                                    • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                    Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                    • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                    • malloc.MSVCRT ref: 004186B7
                                                                                                    • free.MSVCRT ref: 004186C7
                                                                                                    • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                    • free.MSVCRT ref: 004186E0
                                                                                                    • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                    • malloc.MSVCRT ref: 004186FE
                                                                                                    • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                    • free.MSVCRT ref: 00418716
                                                                                                    • free.MSVCRT ref: 0041872A
                                                                                                    • free.MSVCRT ref: 00418749
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$FullNamePath$malloc$Version
                                                                                                    • String ID: |A
                                                                                                    • API String ID: 3356672799-1717621600
                                                                                                    • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                    • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                    • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                    • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                    Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsicmp
                                                                                                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                    • API String ID: 2081463915-1959339147
                                                                                                    • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                    • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                    • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                    • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                    Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                    • API String ID: 2012295524-70141382
                                                                                                    • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                    • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                    • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                    • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                    Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                    • API String ID: 667068680-3953557276
                                                                                                    • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                    • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                    • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                    • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                    Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 004121FF
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                    • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                    • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                    • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                      • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                      • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                      • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                    • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                    • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                    • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 1700100422-0
                                                                                                    • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                    • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                    • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                    • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                    Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                    • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                    • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                    • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                    • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                    • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                    • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                    • String ID:
                                                                                                    • API String ID: 552707033-0
                                                                                                    • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                    • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                    • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                    • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                    Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                      • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                      • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                    • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                    • strchr.MSVCRT ref: 0040C140
                                                                                                    • strchr.MSVCRT ref: 0040C151
                                                                                                    • _strlwr.MSVCRT ref: 0040C15F
                                                                                                    • memset.MSVCRT ref: 0040C17A
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                    • String ID: 4$h
                                                                                                    • API String ID: 4066021378-1856150674
                                                                                                    • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                    • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                    • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                    • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                    Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_snwprintf
                                                                                                    • String ID: %%0.%df
                                                                                                    • API String ID: 3473751417-763548558
                                                                                                    • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                    • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                    • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                    • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                    Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                    • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                    • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                    • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                    • GetParent.USER32(?), ref: 00406136
                                                                                                    • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                    • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                    • String ID: A
                                                                                                    • API String ID: 2892645895-3554254475
                                                                                                    • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                    • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                    • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                    • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                    Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                      • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                      • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                      • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                      • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                    • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                    • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                    • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                    • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                    • memset.MSVCRT ref: 0040DA23
                                                                                                    • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                    • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                    • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                      • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                    • String ID: caption
                                                                                                    • API String ID: 973020956-4135340389
                                                                                                    • Opcode ID: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                                                    • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                    • Opcode Fuzzy Hash: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                                                    • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                    Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                    • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_snwprintf$wcscpy
                                                                                                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                    • API String ID: 1283228442-2366825230
                                                                                                    • Opcode ID: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                                                    • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                    • Opcode Fuzzy Hash: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                                                    • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                    Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcschr.MSVCRT ref: 00413972
                                                                                                    • wcscpy.MSVCRT ref: 00413982
                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                    • wcscpy.MSVCRT ref: 004139D1
                                                                                                    • wcscat.MSVCRT ref: 004139DC
                                                                                                    • memset.MSVCRT ref: 004139B8
                                                                                                      • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                      • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                    • memset.MSVCRT ref: 00413A00
                                                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                                    • wcscat.MSVCRT ref: 00413A27
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                    • String ID: \systemroot
                                                                                                    • API String ID: 4173585201-1821301763
                                                                                                    • Opcode ID: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                                                    • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                    • Opcode Fuzzy Hash: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                                                    • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                    Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcscpy
                                                                                                    • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                    • API String ID: 1284135714-318151290
                                                                                                    • Opcode ID: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                                                    • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                    • Opcode Fuzzy Hash: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                                                    • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                    Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                    • String ID: 0$6
                                                                                                    • API String ID: 4066108131-3849865405
                                                                                                    • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                    • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                    • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                    • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                    Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004082EF
                                                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                    • memset.MSVCRT ref: 00408362
                                                                                                    • memset.MSVCRT ref: 00408377
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$ByteCharMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 290601579-0
                                                                                                    • Opcode ID: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                                                                                    • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                    • Opcode Fuzzy Hash: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                                                                                    • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                    Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memchr.MSVCRT ref: 00444EBF
                                                                                                    • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                    • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                    • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                    • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                                                    • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                                                    • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                                                    • memset.MSVCRT ref: 0044505E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memchrmemset
                                                                                                    • String ID: PD$PD
                                                                                                    • API String ID: 1581201632-2312785699
                                                                                                    • Opcode ID: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                                                    • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                    • Opcode Fuzzy Hash: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                                                    • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                    Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                    • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                    • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                    • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                    • GetParent.USER32(?), ref: 00409FA5
                                                                                                    • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 2163313125-0
                                                                                                    • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                    • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                    • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                    • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                    Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3592753638-3916222277
                                                                                                    • Opcode ID: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                                                                                    • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                    • Opcode Fuzzy Hash: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                                                                                    • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                    Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040A47B
                                                                                                    • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                    • wcslen.MSVCRT ref: 0040A4BA
                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                    • wcslen.MSVCRT ref: 0040A4E0
                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpywcslen$_snwprintfmemset
                                                                                                    • String ID: %s (%s)$YV@
                                                                                                    • API String ID: 3979103747-598926743
                                                                                                    • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                    • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                    • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                    • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                    Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                                                                                    • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                                                                                    • wcslen.MSVCRT ref: 0040A6B1
                                                                                                    • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                    • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                                                                                    • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                    • String ID: Unknown Error$netmsg.dll
                                                                                                    • API String ID: 2767993716-572158859
                                                                                                    • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                    • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                    • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                    • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                    Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                    • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                    • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                    • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                      • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                    • API String ID: 3176057301-2039793938
                                                                                                    • Opcode ID: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                                                    • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                    • Opcode Fuzzy Hash: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                                                    • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                    Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                    • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                    • unable to open database: %s, xrefs: 0042F84E
                                                                                                    • database %s is already in use, xrefs: 0042F6C5
                                                                                                    • database is already attached, xrefs: 0042F721
                                                                                                    • out of memory, xrefs: 0042F865
                                                                                                    • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset
                                                                                                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                    • API String ID: 1297977491-2001300268
                                                                                                    • Opcode ID: b87818fa112a0acc8a66a9ae252063e0b2e26e7fac12933c278b7e571d5e68ae
                                                                                                    • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                    • Opcode Fuzzy Hash: b87818fa112a0acc8a66a9ae252063e0b2e26e7fac12933c278b7e571d5e68ae
                                                                                                    • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                    Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB3F
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB5B
                                                                                                    • memcpy.MSVCRT(?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB80
                                                                                                    • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB94
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC17
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,004126A8,00000000), ref: 0040EC21
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC59
                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                    • String ID: ($d
                                                                                                    • API String ID: 1140211610-1915259565
                                                                                                    • Opcode ID: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                                                                    • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                    • Opcode Fuzzy Hash: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                                                                    • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                    Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                    • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                    • GetLastError.KERNEL32 ref: 004178FB
                                                                                                    • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$ErrorLastLockSleepUnlock
                                                                                                    • String ID:
                                                                                                    • API String ID: 3015003838-0
                                                                                                    • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                    • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                    • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                    • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                    Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00407E44
                                                                                                    • memset.MSVCRT ref: 00407E5B
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                    • wcscpy.MSVCRT ref: 00407F10
                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 59245283-0
                                                                                                    • Opcode ID: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                                                    • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                    • Opcode Fuzzy Hash: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                                                    • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                    Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                    • GetLastError.KERNEL32 ref: 0041855C
                                                                                                    • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                    • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                    • GetLastError.KERNEL32 ref: 0041858E
                                                                                                    • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                    • free.MSVCRT ref: 004185AC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                    • String ID:
                                                                                                    • API String ID: 2802642348-0
                                                                                                    • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                    • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                    • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                    • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                    Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                                                    • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                                                    • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                    • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                    • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                    • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                    • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                    Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004133E1,00000000,00000000), ref: 00413A7A
                                                                                                    • memset.MSVCRT ref: 00413ADC
                                                                                                    • memset.MSVCRT ref: 00413AEC
                                                                                                      • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                    • memset.MSVCRT ref: 00413BD7
                                                                                                    • wcscpy.MSVCRT ref: 00413BF8
                                                                                                    • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,00000000), ref: 00413C4E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                    • String ID: 3A
                                                                                                    • API String ID: 3300951397-293699754
                                                                                                    • Opcode ID: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                                                    • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                    • Opcode Fuzzy Hash: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                                                    • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                    Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                    • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                      • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                      • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                    • wcslen.MSVCRT ref: 0040D1D3
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                    • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                    • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                    • String ID: strings
                                                                                                    • API String ID: 3166385802-3030018805
                                                                                                    • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                    • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                    • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                    • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                    Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00411AF6
                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                    • wcsrchr.MSVCRT ref: 00411B14
                                                                                                    • wcscat.MSVCRT ref: 00411B2E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                    • String ID: AE$.cfg$General$EA
                                                                                                    • API String ID: 776488737-1622828088
                                                                                                    • Opcode ID: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                                                    • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                    • Opcode Fuzzy Hash: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                                                    • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                    Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040D8BD
                                                                                                    • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                    • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                    • memset.MSVCRT ref: 0040D906
                                                                                                    • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                    • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                      • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                      • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                    • String ID: sysdatetimepick32
                                                                                                    • API String ID: 1028950076-4169760276
                                                                                                    • Opcode ID: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                                                    • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                    • Opcode Fuzzy Hash: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                                                    • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                    Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                    • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                    • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                    • memset.MSVCRT ref: 0041BA3D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memset
                                                                                                    • String ID: -journal$-wal
                                                                                                    • API String ID: 438689982-2894717839
                                                                                                    • Opcode ID: d962323e81d37dfb90646eb98bd258cd4124eefff3809fb07e01f1771a5947a6
                                                                                                    • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                    • Opcode Fuzzy Hash: d962323e81d37dfb90646eb98bd258cd4124eefff3809fb07e01f1771a5947a6
                                                                                                    • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                    Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                    • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                    • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                      • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                      • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                    • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Item$Dialog$MessageSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 3975816621-0
                                                                                                    • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                    • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                    • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                    • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                    Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                    • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                    • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                    • String ID: .save$http://$https://$log profile$signIn
                                                                                                    • API String ID: 1214746602-2708368587
                                                                                                    • Opcode ID: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                                                    • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                    • Opcode Fuzzy Hash: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                                                    • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                    Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                                                                    • memset.MSVCRT ref: 00405E33
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                                                                    • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                                                                    • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2313361498-0
                                                                                                    • Opcode ID: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                                                                    • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                    • Opcode Fuzzy Hash: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                                                                    • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                    Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                    • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                    • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                      • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                    • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                    • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ItemMessageRectSend$Client
                                                                                                    • String ID:
                                                                                                    • API String ID: 2047574939-0
                                                                                                    • Opcode ID: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                                                    • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                    • Opcode Fuzzy Hash: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                                                    • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                    Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                      • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                      • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                    • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                      • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                      • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                    • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                    • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                    • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memset
                                                                                                    • String ID: gj
                                                                                                    • API String ID: 438689982-4203073231
                                                                                                    • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                    • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                    • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                    • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                    Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                    • API String ID: 3510742995-2446657581
                                                                                                    • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                    • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                    • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                    • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                    Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                    • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                    • memset.MSVCRT ref: 00405ABB
                                                                                                    • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                    • SetFocus.USER32(?), ref: 00405B76
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$FocusItemmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 4281309102-0
                                                                                                    • Opcode ID: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                                                    • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                    • Opcode Fuzzy Hash: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                                                    • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                    Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _snwprintfwcscat
                                                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                    • API String ID: 384018552-4153097237
                                                                                                    • Opcode ID: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                                                    • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                    • Opcode Fuzzy Hash: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                                                    • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                    Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                    • String ID: 0$6
                                                                                                    • API String ID: 2029023288-3849865405
                                                                                                    • Opcode ID: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                                                    • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                    • Opcode Fuzzy Hash: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                                                    • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                    Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                    • memset.MSVCRT ref: 00405455
                                                                                                    • memset.MSVCRT ref: 0040546C
                                                                                                    • memset.MSVCRT ref: 00405483
                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$memcpy$ErrorLast
                                                                                                    • String ID: 6$\
                                                                                                    • API String ID: 404372293-1284684873
                                                                                                    • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                    • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                    • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                    • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                    Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                    • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                    • wcscat.MSVCRT ref: 0040A0E6
                                                                                                    • wcscat.MSVCRT ref: 0040A0F5
                                                                                                    • wcscpy.MSVCRT ref: 0040A107
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 1331804452-0
                                                                                                    • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                    • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                    • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                    • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                    Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                    • String ID: advapi32.dll
                                                                                                    • API String ID: 2012295524-4050573280
                                                                                                    • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                    • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                    • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                    • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                    Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                    • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                    • <%s>, xrefs: 004100A6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_snwprintf
                                                                                                    • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                    • API String ID: 3473751417-2880344631
                                                                                                    • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                    • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                    • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                    • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                    Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcscat$_snwprintfmemset
                                                                                                    • String ID: %2.2X
                                                                                                    • API String ID: 2521778956-791839006
                                                                                                    • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                    • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                    • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                    • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                    Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _snwprintfwcscpy
                                                                                                    • String ID: dialog_%d$general$menu_%d$strings
                                                                                                    • API String ID: 999028693-502967061
                                                                                                    • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                    • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                    • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                    • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                    Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • strlen.MSVCRT ref: 00408DFA
                                                                                                      • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                                                    • memset.MSVCRT ref: 00408E46
                                                                                                    • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                                                    • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memsetstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2350177629-0
                                                                                                    • Opcode ID: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                                                    • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                    • Opcode Fuzzy Hash: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                                                    • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                    Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                    • API String ID: 2221118986-1606337402
                                                                                                    • Opcode ID: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                                                    • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                    • Opcode Fuzzy Hash: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                                                    • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                    Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                                                    • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                                                                    • memset.MSVCRT ref: 00408FD4
                                                                                                    • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                                                                    • memset.MSVCRT ref: 00409042
                                                                                                    • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                                                      • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 265355444-0
                                                                                                    • Opcode ID: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                                                    • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                    • Opcode Fuzzy Hash: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                                                    • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                    Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                      • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                      • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                    • memset.MSVCRT ref: 0040C439
                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                    • _wcsupr.MSVCRT ref: 0040C481
                                                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                    • memset.MSVCRT ref: 0040C4D0
                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 4131475296-0
                                                                                                    • Opcode ID: f8fc55ba245d1c9f6a3ba6cb2a4711690556c3657263a09b0baeb8372baa9e99
                                                                                                    • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                    • Opcode Fuzzy Hash: f8fc55ba245d1c9f6a3ba6cb2a4711690556c3657263a09b0baeb8372baa9e99
                                                                                                    • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                    Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004116FF
                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                      • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                    • API String ID: 2618321458-3614832568
                                                                                                    • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                    • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                    • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                    • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                    Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFilefreememset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2507021081-0
                                                                                                    • Opcode ID: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                    • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                    • Opcode Fuzzy Hash: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                    • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                    Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                    • malloc.MSVCRT ref: 00417524
                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                    • free.MSVCRT ref: 00417544
                                                                                                    • free.MSVCRT ref: 00417562
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 4131324427-0
                                                                                                    • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                    • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                    • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                    • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                    Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                    • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                    • free.MSVCRT ref: 0041822B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PathTemp$free
                                                                                                    • String ID: %s\etilqs_$etilqs_
                                                                                                    • API String ID: 924794160-1420421710
                                                                                                    • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                    • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                    • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                    • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                    Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040FDD5
                                                                                                      • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                    • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                    • API String ID: 1775345501-2769808009
                                                                                                    • Opcode ID: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                                                    • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                    • Opcode Fuzzy Hash: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                                                    • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                    Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcscpy.MSVCRT ref: 0041477F
                                                                                                    • wcscpy.MSVCRT ref: 0041479A
                                                                                                    • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General,?,00000000,00000001), ref: 004147C1
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcscpy$CloseCreateFileHandle
                                                                                                    • String ID: General
                                                                                                    • API String ID: 999786162-26480598
                                                                                                    • Opcode ID: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                    • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                    • Opcode Fuzzy Hash: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                    • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                    Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                    • _snwprintf.MSVCRT ref: 0040977D
                                                                                                    • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastMessage_snwprintf
                                                                                                    • String ID: Error$Error %d: %s
                                                                                                    • API String ID: 313946961-1552265934
                                                                                                    • Opcode ID: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                    • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                    • Opcode Fuzzy Hash: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                    • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                    Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: foreign key constraint failed$new$oid$old
                                                                                                    • API String ID: 0-1953309616
                                                                                                    • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                    • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                    • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                    • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                    Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                    • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                    • API String ID: 3510742995-272990098
                                                                                                    • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                    • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                    • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                    • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                    Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0044A6EB
                                                                                                    • memset.MSVCRT ref: 0044A6FB
                                                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset
                                                                                                    • String ID: gj
                                                                                                    • API String ID: 1297977491-4203073231
                                                                                                    • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                    • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                    • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                    • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                    Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E961
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E974
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E987
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E99A
                                                                                                    • free.MSVCRT ref: 0040E9D3
                                                                                                      • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@$free
                                                                                                    • String ID:
                                                                                                    • API String ID: 2241099983-0
                                                                                                    • Opcode ID: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                                                                                    • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                    • Opcode Fuzzy Hash: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                                                                                    • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                    Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                    • malloc.MSVCRT ref: 004174BD
                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                    • free.MSVCRT ref: 004174E4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 4053608372-0
                                                                                                    • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                    • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                    • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                    • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                    Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetParent.USER32(?), ref: 0040D453
                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                    • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                                                    • String ID:
                                                                                                    • API String ID: 4247780290-0
                                                                                                    • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                    • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                    • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                    • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                    Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                    • memset.MSVCRT ref: 004450CD
                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                      • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 1471605966-0
                                                                                                    • Opcode ID: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                    • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                    • Opcode Fuzzy Hash: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                    • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                    Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcscpy.MSVCRT ref: 0044475F
                                                                                                    • wcscat.MSVCRT ref: 0044476E
                                                                                                    • wcscat.MSVCRT ref: 0044477F
                                                                                                    • wcscat.MSVCRT ref: 0044478E
                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                      • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                      • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                    • String ID: \StringFileInfo\
                                                                                                    • API String ID: 102104167-2245444037
                                                                                                    • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                    • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                    • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                    • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                    Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@
                                                                                                    • String ID:
                                                                                                    • API String ID: 613200358-0
                                                                                                    • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                    • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                    • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                    • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                    Function 00401942 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 00401990
                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 0040199B
                                                                                                    • SetWindowPlacement.USER32(00000000,?), ref: 004019CC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MetricsSystem$PlacementWindow
                                                                                                    • String ID: AE
                                                                                                    • API String ID: 3548547718-685266089
                                                                                                    • Opcode ID: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                                                    • Instruction ID: bc47655bc3d2af3ddac3cbb2ac08b89d1fd66a09df9f10e9f6ff2044f470f5ca
                                                                                                    • Opcode Fuzzy Hash: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                                                    • Instruction Fuzzy Hash: 4C11AC719002099BCF20CF5EC8987EE77B5BF41308F15017ADC90BB292D670A841CB64
                                                                                                    Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _memicmpwcslen
                                                                                                    • String ID: @@@@$History
                                                                                                    • API String ID: 1872909662-685208920
                                                                                                    • Opcode ID: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                                                    • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                    • Opcode Fuzzy Hash: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                                                    • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                    Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004100FB
                                                                                                    • memset.MSVCRT ref: 00410112
                                                                                                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                    • _snwprintf.MSVCRT ref: 00410141
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                    • String ID: </%s>
                                                                                                    • API String ID: 3400436232-259020660
                                                                                                    • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                    • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                    • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                    • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                    Function 0040E758 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040E770
                                                                                                    • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSendmemset
                                                                                                    • String ID: AE$"
                                                                                                    • API String ID: 568519121-1989281832
                                                                                                    • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                    • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                    • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                    • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                    Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040D58D
                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                    • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                    • String ID: caption
                                                                                                    • API String ID: 1523050162-4135340389
                                                                                                    • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                    • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                    • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                    • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                    Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                      • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                    • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                    • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                    • String ID: MS Sans Serif
                                                                                                    • API String ID: 210187428-168460110
                                                                                                    • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                    • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                    • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                    • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                    Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassName_wcsicmpmemset
                                                                                                    • String ID: edit
                                                                                                    • API String ID: 2747424523-2167791130
                                                                                                    • Opcode ID: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                                                    • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                    • Opcode Fuzzy Hash: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                                                    • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                    Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                                                    • API String ID: 3150196962-1506664499
                                                                                                    • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                                    • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                    • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                                    • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                    Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                                    • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                                    • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                                                    • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                                                    • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memcmp
                                                                                                    • String ID:
                                                                                                    • API String ID: 3384217055-0
                                                                                                    • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                    • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                    • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                    • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                    Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$memcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 368790112-0
                                                                                                    • Opcode ID: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                                                    • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                    • Opcode Fuzzy Hash: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                                                    • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                    Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                      • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                      • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                    • GetMenu.USER32(?), ref: 00410F8D
                                                                                                    • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                    • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                    • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                    • String ID:
                                                                                                    • API String ID: 1889144086-0
                                                                                                    • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                    • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                    • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                    • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                    Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                    • GetLastError.KERNEL32 ref: 0041810A
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                    • String ID:
                                                                                                    • API String ID: 1661045500-0
                                                                                                    • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                    • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                    • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                    • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                    Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                    • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                                                    Strings
                                                                                                    • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                    • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                    • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset
                                                                                                    • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                    • API String ID: 1297977491-2063813899
                                                                                                    • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                    • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                    • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                    • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                    Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040560C
                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                      • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                    • String ID: *.*$dat$wand.dat
                                                                                                    • API String ID: 2618321458-1828844352
                                                                                                    • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                    • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                    • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                    • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                    Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                    • wcslen.MSVCRT ref: 00410C74
                                                                                                    • _wtoi.MSVCRT(?,?,00000000,00000000,00000000,?,00000000), ref: 00410C80
                                                                                                    • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                    • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1549203181-0
                                                                                                    • Opcode ID: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                                                    • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                    • Opcode Fuzzy Hash: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                                                    • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                    Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00412057
                                                                                                      • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                                                                                    • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                    • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                    • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 3550944819-0
                                                                                                    • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                    • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                    • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                    • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                    Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • free.MSVCRT ref: 0040F561
                                                                                                    • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                    • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$free
                                                                                                    • String ID: g4@
                                                                                                    • API String ID: 2888793982-2133833424
                                                                                                    • Opcode ID: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                    • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                    • Opcode Fuzzy Hash: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                    • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                    Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                                    • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                                    • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: @
                                                                                                    • API String ID: 3510742995-2766056989
                                                                                                    • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                    • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                    • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                    • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                    Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                                                                    • memset.MSVCRT ref: 0040AF18
                                                                                                    • memcpy.MSVCRT(0045A474,?,00000000,00000000,00000000,00000000,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 1865533344-0
                                                                                                    • Opcode ID: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                                                                    • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                    • Opcode Fuzzy Hash: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                                                                    • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                    Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004144E7
                                                                                                      • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                      • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                    • memset.MSVCRT ref: 0041451A
                                                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 1127616056-0
                                                                                                    • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                    • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                    • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                    • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                    Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                                                    • memset.MSVCRT ref: 0042FED3
                                                                                                    • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memset
                                                                                                    • String ID: sqlite_master
                                                                                                    • API String ID: 438689982-3163232059
                                                                                                    • Opcode ID: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                                                    • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                    • Opcode Fuzzy Hash: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                                                    • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                    Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                    • wcscpy.MSVCRT ref: 00414DF3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 3917621476-0
                                                                                                    • Opcode ID: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                                                    • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                    • Opcode Fuzzy Hash: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                                                    • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                    Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                    • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                    • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                    • _snwprintf.MSVCRT ref: 0041100C
                                                                                                    • wcscat.MSVCRT ref: 0041101F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 822687973-0
                                                                                                    • Opcode ID: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                                                    • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                    • Opcode Fuzzy Hash: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                                                    • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                    Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                    • malloc.MSVCRT ref: 00417459
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74DEDF80,?,0041755F,?), ref: 00417478
                                                                                                    • free.MSVCRT ref: 0041747F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 2605342592-0
                                                                                                    • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                    • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                    • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                    • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                    Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                                                                                    • RegisterClassW.USER32(00000001), ref: 00412428
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                    • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2678498856-0
                                                                                                    • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                    • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                    • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                    • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                    Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                    • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                    • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Item
                                                                                                    • String ID:
                                                                                                    • API String ID: 3888421826-0
                                                                                                    • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                    • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                    • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                    • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                    Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00417B7B
                                                                                                    • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                    • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                    • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$ErrorLastLockUnlockmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 3727323765-0
                                                                                                    • Opcode ID: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                                                    • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                    • Opcode Fuzzy Hash: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                                                    • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                    Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040F673
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                                                                                    • strlen.MSVCRT ref: 0040F6A2
                                                                                                    • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2754987064-0
                                                                                                    • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                    • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                    • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                    • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                    Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040F6E2
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                                                                                    • strlen.MSVCRT ref: 0040F70D
                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2754987064-0
                                                                                                    • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                    • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                    • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                    • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                    Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00402FD7
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                    • strlen.MSVCRT ref: 00403006
                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2754987064-0
                                                                                                    • Opcode ID: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                                                    • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                    • Opcode Fuzzy Hash: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                                                    • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                    Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                      • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                      • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                    • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                    • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 764393265-0
                                                                                                    • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                    • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                    • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                    • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                    Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Time$System$File$LocalSpecific
                                                                                                    • String ID:
                                                                                                    • API String ID: 979780441-0
                                                                                                    • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                    • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                    • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                    • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                    Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                    • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                    • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$DialogHandleModuleParam
                                                                                                    • String ID:
                                                                                                    • API String ID: 1386444988-0
                                                                                                    • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                    • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                    • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                    • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                    Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InvalidateMessageRectSend
                                                                                                    • String ID: d=E
                                                                                                    • API String ID: 909852535-3703654223
                                                                                                    • Opcode ID: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                                                    • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                    • Opcode Fuzzy Hash: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                                                    • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                    Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcschr.MSVCRT ref: 0040F79E
                                                                                                    • wcschr.MSVCRT ref: 0040F7AC
                                                                                                      • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                      • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4), ref: 0040AACB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcschr$memcpywcslen
                                                                                                    • String ID: "
                                                                                                    • API String ID: 1983396471-123907689
                                                                                                    • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                    • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                    • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                    • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                    Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                    • _memicmp.MSVCRT ref: 0040C00D
                                                                                                    • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FilePointer_memicmpmemcpy
                                                                                                    • String ID: URL
                                                                                                    • API String ID: 2108176848-3574463123
                                                                                                    • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                    • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                    • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                    • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                    Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _snwprintf.MSVCRT ref: 0040A398
                                                                                                    • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _snwprintfmemcpy
                                                                                                    • String ID: %2.2X
                                                                                                    • API String ID: 2789212964-323797159
                                                                                                    • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                    • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                    • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                    • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                    Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _snwprintf
                                                                                                    • String ID: %%-%d.%ds
                                                                                                    • API String ID: 3988819677-2008345750
                                                                                                    • Opcode ID: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                                                    • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                    • Opcode Fuzzy Hash: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                                                    • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                    Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowPlacement.USER32(?,?,?,?,?,00411B7F,?,General,?,00000000,00000001), ref: 00401904
                                                                                                    • memset.MSVCRT ref: 00401917
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PlacementWindowmemset
                                                                                                    • String ID: WinPos
                                                                                                    • API String ID: 4036792311-2823255486
                                                                                                    • Opcode ID: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                                                    • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                    • Opcode Fuzzy Hash: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                                                    • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                    Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                    • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                    • wcscat.MSVCRT ref: 0040DCFF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileModuleNamewcscatwcsrchr
                                                                                                    • String ID: _lng.ini
                                                                                                    • API String ID: 383090722-1948609170
                                                                                                    • Opcode ID: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                                                    • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                    • Opcode Fuzzy Hash: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                                                    • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                    Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                    • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                    • API String ID: 2773794195-880857682
                                                                                                    • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                                    • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                    • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                                    • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                    Function 0040A153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                                                                                    • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LongWindow
                                                                                                    • String ID: MZ@
                                                                                                    • API String ID: 1378638983-2978689999
                                                                                                    • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                    • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                                                                                    • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                    • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                                                                                    Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                                    • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                                    • memset.MSVCRT ref: 0042BAAE
                                                                                                    • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 438689982-0
                                                                                                    • Opcode ID: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                                                    • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                    • Opcode Fuzzy Hash: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                                                    • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                    Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 1860491036-0
                                                                                                    • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                    • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                    • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                    • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                    Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcslen.MSVCRT ref: 0040A8E2
                                                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                    • free.MSVCRT ref: 0040A908
                                                                                                    • free.MSVCRT ref: 0040A92B
                                                                                                    • memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$memcpy$mallocwcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 726966127-0
                                                                                                    • Opcode ID: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                                                                                    • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                    • Opcode Fuzzy Hash: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                                                                                    • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                    Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcslen.MSVCRT ref: 0040B1DE
                                                                                                    • free.MSVCRT ref: 0040B201
                                                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                    • free.MSVCRT ref: 0040B224
                                                                                                    • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$memcpy$mallocwcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 726966127-0
                                                                                                    • Opcode ID: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                    • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                    • Opcode Fuzzy Hash: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                    • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                    Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                                                      • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                                                      • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                                      • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                                    • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                                                    • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                                                    • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmp$memcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 231171946-0
                                                                                                    • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                    • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                    • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                    • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                    Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • strlen.MSVCRT ref: 0040B0D8
                                                                                                    • free.MSVCRT ref: 0040B0FB
                                                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                    • free.MSVCRT ref: 0040B12C
                                                                                                    • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$memcpy$mallocstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3669619086-0
                                                                                                    • Opcode ID: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                    • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                    • Opcode Fuzzy Hash: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                    • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                    Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                    • malloc.MSVCRT ref: 00417407
                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                    • free.MSVCRT ref: 00417425
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 2605342592-0
                                                                                                    • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                    • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                    • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                    • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                    Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2769432677.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000005.00000002.2769432677.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcslen$wcscat$wcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 1961120804-0
                                                                                                    • Opcode ID: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                                                    • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                    • Opcode Fuzzy Hash: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                                                    • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:2.6%
                                                                                                    Dynamic/Decrypted Code Coverage:19.8%
                                                                                                    Signature Coverage:0.5%
                                                                                                    Total number of Nodes:869
                                                                                                    Total number of Limit Nodes:22
                                                                                                    execution_graph 33894 43ee43 59 API calls 33896 405e41 14 API calls 33707 429046 memset memset memcpy memset memset 33708 432447 17 API calls 33709 401445 memcpy memcpy DialogBoxParamA 33710 413848 strcmp 33711 41104f 16 API calls __fprintf_l 33713 411a2d 14 API calls 3 library calls 33900 424852 76 API calls __fprintf_l 33715 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 33901 432654 15 API calls __fprintf_l 33720 40b05a LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 33723 401060 41 API calls 32775 410663 EnumResourceNamesA 33725 40b865 8 API calls 33904 425e13 87 API calls 33727 404469 22 API calls 33906 41466f 16 API calls 33730 425474 16 API calls __fprintf_l 33731 426474 memcpy memset memset memcpy 33910 411201 RtlDeleteCriticalSection __fprintf_l 33734 444003 __dllonexit 33914 404207 modf 33736 410808 memset SHGetPathFromIDList SendMessageA 33737 42a80b 27 API calls __fprintf_l 32785 444a0f 32786 444a26 32785->32786 32793 444a94 32785->32793 32786->32793 32798 444a4e GetModuleHandleA 32786->32798 32788 444a9d GetModuleHandleA 32791 444aa7 32788->32791 32789 444ada 32811 444adf 32789->32811 32791->32791 32791->32793 32794 444ac7 GetProcAddress 32791->32794 32792 444a45 32792->32791 32792->32793 32795 444a68 GetProcAddress 32792->32795 32793->32788 32793->32789 32793->32791 32794->32793 32795->32793 32796 444a75 VirtualProtect 32795->32796 32796->32793 32797 444a84 VirtualProtect 32796->32797 32797->32793 32799 444a57 32798->32799 32806 444a94 32798->32806 32830 444a6b GetProcAddress 32799->32830 32801 444a5c 32805 444a68 GetProcAddress 32801->32805 32801->32806 32802 444a9d GetModuleHandleA 32808 444aa7 32802->32808 32803 444ada 32804 444adf 745 API calls 32803->32804 32804->32803 32805->32806 32807 444a75 VirtualProtect 32805->32807 32806->32802 32806->32803 32806->32808 32807->32806 32809 444a84 VirtualProtect 32807->32809 32808->32806 32810 444ac7 GetProcAddress 32808->32810 32809->32806 32810->32806 32812 44412e 32811->32812 32813 44413a GetModuleHandleA 32812->32813 32814 44414c __set_app_type __p__fmode __p__commode 32813->32814 32816 4441de 32814->32816 32817 4441e6 __setusermatherr 32816->32817 32818 4441f2 32816->32818 32817->32818 32839 444306 _controlfp 32818->32839 32820 4441f7 _initterm __getmainargs _initterm 32822 44424e GetStartupInfoA 32820->32822 32823 444282 GetModuleHandleA 32822->32823 32840 40cc66 32823->32840 32827 4442b3 _cexit 32829 4442e8 32827->32829 32828 4442ac exit 32828->32827 32829->32789 32831 444a94 32830->32831 32832 444a75 VirtualProtect 32830->32832 32834 444a9d GetModuleHandleA 32831->32834 32835 444ada 32831->32835 32832->32831 32833 444a84 VirtualProtect 32832->32833 32833->32831 32838 444aa7 32834->32838 32836 444adf 745 API calls 32835->32836 32836->32835 32837 444ac7 GetProcAddress 32837->32838 32838->32831 32838->32837 32839->32820 32891 404a94 LoadLibraryA 32840->32891 32842 40cc82 32843 40cc86 32842->32843 32899 41067e 32842->32899 32843->32827 32843->32828 32845 40cc91 32903 40c9f7 ??2@YAPAXI 32845->32903 32847 40ccbd 32917 407a4b 32847->32917 32852 40cce6 32935 409596 memset 32852->32935 32853 40ccfa 32940 409465 memset 32853->32940 32858 40cea3 ??3@YAXPAX 32860 40cec1 DeleteObject 32858->32860 32861 40ced5 32858->32861 32859 407bbf _strcmpi 32862 40cd10 32859->32862 32860->32861 32964 4076d7 free free 32861->32964 32863 40cd14 RegDeleteKeyA 32862->32863 32864 40cd29 EnumResourceTypesA 32862->32864 32863->32858 32866 40cd51 MessageBoxA 32864->32866 32867 40cd69 32864->32867 32866->32858 32869 40cdc2 CoInitialize 32867->32869 32945 40cb90 32867->32945 32868 40cee6 32965 4045bd free 32868->32965 32962 40c946 strncat memset RegisterClassA CreateWindowExA 32869->32962 32871 40ceef 32966 4076d7 free free 32871->32966 32876 40cdd3 ShowWindow UpdateWindow LoadAcceleratorsA 32963 40bfb1 PostMessageA 32876->32963 32877 40cdc0 32877->32869 32878 40cd83 ??3@YAXPAX 32878->32861 32880 40cda6 DeleteObject 32878->32880 32880->32861 32883 40ce1b GetMessageA 32884 40ce9d CoUninitialize 32883->32884 32885 40ce2f 32883->32885 32884->32858 32886 40ce35 TranslateAccelerator 32885->32886 32888 40ce67 IsDialogMessage 32885->32888 32889 40ce5b IsDialogMessage 32885->32889 32886->32885 32887 40ce8f GetMessageA 32886->32887 32887->32884 32887->32886 32888->32887 32890 40ce79 TranslateMessage DispatchMessageA 32888->32890 32889->32887 32889->32888 32890->32887 32892 404abf GetProcAddress 32891->32892 32896 404ae7 32891->32896 32893 404ad8 FreeLibrary 32892->32893 32894 404acf 32892->32894 32895 404ae3 32893->32895 32893->32896 32894->32893 32895->32896 32897 404af7 MessageBoxA 32896->32897 32898 404b0e 32896->32898 32897->32842 32898->32842 32900 410687 LoadLibraryA 32899->32900 32901 4106ac 32899->32901 32900->32901 32902 41069b GetProcAddress 32900->32902 32901->32845 32902->32901 32904 40ca28 ??2@YAPAXI 32903->32904 32906 40ca46 32904->32906 32907 40ca4d 32904->32907 32974 40400d 6 API calls 32906->32974 32909 40ca86 32907->32909 32910 40ca79 DeleteObject 32907->32910 32967 406e26 32909->32967 32910->32909 32912 40ca8b 32970 4019b4 32912->32970 32915 4019b4 strncat 32916 40cadf _mbscpy 32915->32916 32916->32847 32976 4076d7 free free 32917->32976 32921 4077ae malloc memcpy free free 32927 407a86 32921->32927 32922 407b6b 32930 407b93 32922->32930 32989 4077ae 32922->32989 32924 407b09 free 32924->32927 32927->32921 32927->32922 32927->32924 32927->32930 32980 4076fd 7 API calls 32927->32980 32981 406cce 32927->32981 32977 4077e4 32930->32977 32931 407bbf 32932 407be6 32931->32932 32933 407bc7 32931->32933 32932->32852 32932->32853 32933->32932 32934 407bd0 _strcmpi 32933->32934 32934->32932 32934->32933 32995 409570 32935->32995 32937 4095c5 33000 4094a2 32937->33000 32941 409570 3 API calls 32940->32941 32942 409494 32941->32942 33020 4093dd 32942->33020 33034 4023a9 32945->33034 32951 40cbf4 33123 40cafa 7 API calls 32951->33123 32952 40cbef 32955 40cc60 32952->32955 33075 40c12b memset GetModuleFileNameA strrchr 32952->33075 32955->32877 32955->32878 32958 40cc0e 33102 40ad59 32958->33102 32962->32876 32963->32883 32964->32868 32965->32871 32966->32843 32975 406d65 memset _mbscpy 32967->32975 32969 406e3d CreateFontIndirectA 32969->32912 32971 4019e0 32970->32971 32972 4019c1 strncat 32971->32972 32973 4019e4 memset LoadIconA 32971->32973 32972->32971 32973->32915 32974->32907 32975->32969 32976->32927 32978 4077f4 32977->32978 32979 4077ea free 32977->32979 32978->32931 32979->32978 32980->32927 32982 406cd5 malloc 32981->32982 32983 406d1b 32981->32983 32985 406d11 32982->32985 32986 406cf6 32982->32986 32983->32927 32985->32927 32987 406d0a free 32986->32987 32988 406cfa memcpy 32986->32988 32987->32985 32988->32987 32990 4077c7 32989->32990 32991 4077bc free 32989->32991 32993 406cce 3 API calls 32990->32993 32992 4077d2 32991->32992 32994 4076fd 7 API calls 32992->32994 32993->32992 32994->32930 33011 406d34 GetModuleFileNameA 32995->33011 32997 409576 strrchr 32998 409585 32997->32998 32999 409588 _mbscat 32997->32999 32998->32999 32999->32937 33012 4446d0 33000->33012 33005 40907d 3 API calls 33006 4094ea EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33005->33006 33007 409536 LoadStringA 33006->33007 33008 40954c 33007->33008 33008->33007 33010 409564 33008->33010 33019 4090eb memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33008->33019 33010->32858 33011->32997 33013 4094af _mbscpy _mbscpy 33012->33013 33014 40907d 33013->33014 33015 4446d0 33014->33015 33016 40908a memset GetPrivateProfileStringA 33015->33016 33017 4090e5 33016->33017 33018 4090d5 WritePrivateProfileStringA 33016->33018 33017->33005 33018->33017 33019->33008 33030 406d1f GetFileAttributesA 33020->33030 33022 4093e6 33023 40945f 33022->33023 33024 4093eb _mbscpy _mbscpy GetPrivateProfileIntA 33022->33024 33023->32859 33031 408fe9 GetPrivateProfileStringA 33024->33031 33026 40943a 33032 408fe9 GetPrivateProfileStringA 33026->33032 33028 40944b 33033 408fe9 GetPrivateProfileStringA 33028->33033 33030->33022 33031->33026 33032->33028 33033->33023 33125 409989 33034->33125 33037 401e60 memset 33164 41072b 33037->33164 33040 401eb9 33194 406e81 strlen _mbscat _mbscpy _mbscat 33040->33194 33041 401ecb 33179 406d1f GetFileAttributesA 33041->33179 33044 401edd strlen strlen 33046 401f1f 33044->33046 33047 401f0c 33044->33047 33180 406d1f GetFileAttributesA 33046->33180 33195 406e81 strlen _mbscat _mbscpy _mbscat 33047->33195 33050 401f2c 33181 401c30 33050->33181 33053 401f6c 33193 410411 RegOpenKeyExA 33053->33193 33054 401c30 7 API calls 33054->33053 33056 401f88 33057 401f93 memset 33056->33057 33058 40217e 33056->33058 33196 4104d7 RegEnumKeyExA 33057->33196 33060 40218c ExpandEnvironmentStringsA 33058->33060 33063 40219f _strcmpi 33058->33063 33205 406d1f GetFileAttributesA 33060->33205 33062 402175 RegCloseKey 33062->33058 33063->32951 33063->32952 33064 401fd0 atoi 33065 401fe6 memset memset sprintf 33064->33065 33072 401fc0 33064->33072 33197 410493 33065->33197 33068 40215c 33068->33062 33069 40206d memset memset strlen strlen 33069->33072 33070 406e81 strlen _mbscat _mbscpy _mbscat 33070->33072 33071 4020d4 strlen strlen 33071->33072 33072->33062 33072->33064 33072->33068 33072->33069 33072->33070 33072->33071 33073 406d1f GetFileAttributesA 33072->33073 33074 40215e _mbscpy 33072->33074 33204 4104d7 RegEnumKeyExA 33072->33204 33073->33072 33074->33062 33076 40c17b 33075->33076 33077 40c17e _mbscat _mbscpy _mbscpy 33075->33077 33076->33077 33078 40c1f6 33077->33078 33079 40c26b 33078->33079 33080 40c25b GetWindowPlacement 33078->33080 33081 40c291 33079->33081 33226 4017d1 GetSystemMetrics GetSystemMetrics SetWindowPos 33079->33226 33080->33079 33219 40989e 33081->33219 33085 40b783 33086 40b7e2 33085->33086 33090 40b797 33085->33090 33229 406a00 LoadCursorA SetCursor 33086->33229 33088 40b7e7 33230 410411 RegOpenKeyExA 33088->33230 33231 40472f 33088->33231 33239 404780 33088->33239 33242 403c03 33088->33242 33318 410166 33088->33318 33089 40b79e _mbsicmp 33089->33090 33090->33086 33090->33089 33321 40b340 10 API calls 33090->33321 33091 40b7fb 33092 407bbf _strcmpi 33091->33092 33095 40b80b 33092->33095 33093 40b855 SetCursor 33093->32958 33095->33093 33096 40b84c qsort 33095->33096 33096->33093 33103 40ad6d 33102->33103 33685 409b5a SendMessageA ??2@YAPAXI ??3@YAXPAX 33102->33685 33105 40ad75 33103->33105 33106 40ad7e GetStdHandle 33103->33106 33684 406ab8 CreateFileA 33105->33684 33108 40ad7b 33106->33108 33109 40ad94 33108->33109 33110 40ae8c 33108->33110 33686 406a00 LoadCursorA SetCursor 33109->33686 33690 406b15 9 API calls 33110->33690 33113 40ae95 33124 40c2d6 28 API calls 33113->33124 33114 40ada1 33115 40ade6 33114->33115 33121 40ae00 33114->33121 33687 40a2db strlen WriteFile 33114->33687 33115->33121 33688 40a3f8 12 API calls 33115->33688 33118 40ae35 33119 40ae75 CloseHandle 33118->33119 33120 40ae7e SetCursor 33118->33120 33119->33120 33120->33113 33121->33118 33689 406b15 9 API calls 33121->33689 33123->32952 33124->32955 33137 40979f 33125->33137 33128 4099ed memcpy memcpy 33129 409a47 33128->33129 33129->33128 33130 409a85 ??2@YAPAXI ??2@YAPAXI 33129->33130 33131 408b27 12 API calls 33129->33131 33132 409ac1 ??2@YAPAXI 33130->33132 33134 409af8 33130->33134 33131->33129 33132->33134 33134->33134 33147 409909 33134->33147 33136 4023b8 33136->33037 33138 4097b1 33137->33138 33139 4097aa ??3@YAXPAX 33137->33139 33140 4097b8 ??3@YAXPAX 33138->33140 33141 4097bf 33138->33141 33139->33138 33140->33141 33142 4097d0 33141->33142 33143 4097c9 ??3@YAXPAX 33141->33143 33144 4097f0 ??2@YAPAXI ??2@YAPAXI 33142->33144 33145 4097e0 ??3@YAXPAX 33142->33145 33146 4097e9 ??3@YAXPAX 33142->33146 33143->33142 33144->33128 33145->33146 33146->33144 33148 4077e4 free 33147->33148 33149 409912 33148->33149 33150 4077e4 free 33149->33150 33151 40991a 33150->33151 33152 4077e4 free 33151->33152 33153 409922 33152->33153 33154 4077e4 free 33153->33154 33155 40992a 33154->33155 33156 4077ae 4 API calls 33155->33156 33157 40993d 33156->33157 33158 4077ae 4 API calls 33157->33158 33159 409947 33158->33159 33160 4077ae 4 API calls 33159->33160 33161 409951 33160->33161 33162 4077ae 4 API calls 33161->33162 33163 40995b 33162->33163 33163->33136 33165 41067e 2 API calls 33164->33165 33166 41073a 33165->33166 33167 41076d memset 33166->33167 33206 406e4c 33166->33206 33168 41078d 33167->33168 33209 410411 RegOpenKeyExA 33168->33209 33172 4107ba 33173 4107ef _mbscpy 33172->33173 33210 4106ad _mbscpy 33172->33210 33174 401e95 strlen strlen 33173->33174 33174->33040 33174->33041 33176 4107cb 33211 410452 RegQueryValueExA 33176->33211 33178 4107e3 RegCloseKey 33178->33173 33179->33044 33180->33050 33212 410411 RegOpenKeyExA 33181->33212 33183 401c4b 33184 401cac 33183->33184 33213 410452 RegQueryValueExA 33183->33213 33184->33053 33184->33054 33186 401c69 33187 401c70 strchr 33186->33187 33188 401ca3 RegCloseKey 33186->33188 33187->33188 33189 401c84 strchr 33187->33189 33188->33184 33189->33188 33190 401c93 33189->33190 33214 406ca4 strlen 33190->33214 33192 401ca0 33192->33188 33193->33056 33194->33041 33195->33046 33196->33072 33217 410411 RegOpenKeyExA 33197->33217 33199 4104a9 33200 4104d2 33199->33200 33218 410452 RegQueryValueExA 33199->33218 33200->33072 33202 4104c1 RegCloseKey 33202->33200 33204->33072 33205->33063 33207 406e5b GetVersionExA 33206->33207 33208 406e6c 33206->33208 33207->33208 33208->33167 33208->33174 33209->33172 33210->33176 33211->33178 33212->33183 33213->33186 33215 406cb5 33214->33215 33216 406cb8 memcpy 33214->33216 33215->33216 33216->33192 33217->33199 33218->33202 33220 4098ad 33219->33220 33222 4098bb 33219->33222 33227 409669 memset SendMessageA 33220->33227 33223 409906 33222->33223 33224 4098f8 33222->33224 33223->33085 33228 4095d9 SendMessageA 33224->33228 33226->33081 33227->33222 33228->33223 33229->33088 33230->33091 33232 404780 FreeLibrary 33231->33232 33233 404736 LoadLibraryA 33232->33233 33234 404747 GetProcAddress 33233->33234 33235 404769 33233->33235 33234->33235 33236 40475f 33234->33236 33237 40477c 33235->33237 33238 404780 FreeLibrary 33235->33238 33236->33235 33237->33091 33238->33237 33240 404794 FreeLibrary 33239->33240 33241 40479e 33239->33241 33240->33241 33241->33091 33243 410166 FreeLibrary 33242->33243 33244 403c1d LoadLibraryA 33243->33244 33245 403c61 33244->33245 33246 403c31 GetProcAddress 33244->33246 33247 410166 FreeLibrary 33245->33247 33246->33245 33248 403c4b 33246->33248 33249 403c68 33247->33249 33248->33245 33251 403c58 33248->33251 33250 40472f 3 API calls 33249->33250 33252 403c73 33250->33252 33251->33249 33322 4036d7 33252->33322 33255 4036d7 27 API calls 33256 403c87 33255->33256 33257 4036d7 27 API calls 33256->33257 33258 403c91 33257->33258 33259 4036d7 27 API calls 33258->33259 33260 403c9b 33259->33260 33334 408344 33260->33334 33268 403cd2 33269 403ce4 33268->33269 33517 402bc3 40 API calls 33268->33517 33382 410411 RegOpenKeyExA 33269->33382 33272 403cf7 33273 403d09 33272->33273 33518 402bc3 40 API calls 33272->33518 33383 402c4f 33273->33383 33277 406e4c GetVersionExA 33278 403d1e 33277->33278 33401 410411 RegOpenKeyExA 33278->33401 33280 403d3e 33281 403d4e 33280->33281 33519 402b14 47 API calls 33280->33519 33402 410411 RegOpenKeyExA 33281->33402 33284 403d74 33285 403d84 33284->33285 33520 402b14 47 API calls 33284->33520 33403 410411 RegOpenKeyExA 33285->33403 33288 403daa 33290 403dba 33288->33290 33521 402b14 47 API calls 33288->33521 33404 41017d 33290->33404 33293 404780 FreeLibrary 33294 403dd5 33293->33294 33408 402fcd 33294->33408 33297 402fcd 34 API calls 33298 403ded 33297->33298 33424 4032a9 33298->33424 33307 403e28 33309 403e60 33307->33309 33310 403e33 _mbscpy 33307->33310 33471 40f478 33309->33471 33523 40eca9 303 API calls 33310->33523 33319 410171 FreeLibrary 33318->33319 33320 41017c 33318->33320 33319->33320 33320->33091 33321->33090 33323 4037b7 33322->33323 33324 4036ed 33322->33324 33323->33255 33524 4101d8 UuidFromStringA UuidFromStringA memcpy CoTaskMemFree 33324->33524 33326 403700 33326->33323 33327 403708 strchr 33326->33327 33327->33323 33328 403722 33327->33328 33525 4021ad memset 33328->33525 33330 403731 _mbscpy _mbscpy strlen 33331 403796 _mbscpy 33330->33331 33332 40377b sprintf 33330->33332 33526 4023d7 16 API calls 33331->33526 33332->33331 33335 408354 33334->33335 33527 408043 11 API calls 33335->33527 33339 408372 33340 403ca7 33339->33340 33341 40837d memset 33339->33341 33352 407f93 33340->33352 33530 4104d7 RegEnumKeyExA 33341->33530 33343 408444 RegCloseKey 33343->33340 33345 4083a9 33345->33343 33346 4083ce memset 33345->33346 33531 410411 RegOpenKeyExA 33345->33531 33534 4104d7 RegEnumKeyExA 33345->33534 33532 410452 RegQueryValueExA 33346->33532 33349 408406 33533 4081fd 10 API calls 33349->33533 33351 40841d RegCloseKey 33351->33345 33535 410411 RegOpenKeyExA 33352->33535 33354 407fb5 33355 403cb3 33354->33355 33356 407fbc memset 33354->33356 33364 408458 33355->33364 33536 4104d7 RegEnumKeyExA 33356->33536 33358 408035 RegCloseKey 33358->33355 33360 407fe5 33360->33358 33537 410411 RegOpenKeyExA 33360->33537 33538 407e63 11 API calls 33360->33538 33539 4104d7 RegEnumKeyExA 33360->33539 33363 408018 RegCloseKey 33363->33360 33540 4045d6 33364->33540 33367 408660 33548 404651 33367->33548 33369 4084a5 33369->33367 33371 4084af wcslen 33369->33371 33371->33367 33379 4084e2 33371->33379 33372 4084a3 CredEnumerateW 33372->33369 33373 4084ec wcsncmp 33373->33379 33375 40472f 3 API calls 33375->33379 33376 404780 FreeLibrary 33376->33379 33377 408584 memset 33378 4085b1 memcpy wcschr 33377->33378 33377->33379 33378->33379 33379->33367 33379->33373 33379->33375 33379->33376 33379->33377 33379->33378 33380 408634 LocalFree 33379->33380 33551 404666 _mbscpy 33379->33551 33380->33379 33381 410411 RegOpenKeyExA 33381->33268 33382->33272 33552 410411 RegOpenKeyExA 33383->33552 33385 402c6c 33386 402d97 33385->33386 33387 402c79 memset 33385->33387 33386->33277 33553 4104d7 RegEnumKeyExA 33387->33553 33389 402d8e RegCloseKey 33389->33386 33390 410493 3 API calls 33391 402cd6 memset sprintf 33390->33391 33554 410411 RegOpenKeyExA 33391->33554 33393 402d1a 33394 402d2c sprintf 33393->33394 33555 402bc3 40 API calls 33393->33555 33556 410411 RegOpenKeyExA 33394->33556 33399 402ca4 33399->33389 33399->33390 33400 402d8c 33399->33400 33557 402bc3 40 API calls 33399->33557 33558 4104d7 RegEnumKeyExA 33399->33558 33400->33389 33401->33280 33402->33284 33403->33288 33405 41018b 33404->33405 33406 410166 FreeLibrary 33405->33406 33407 403dca 33406->33407 33407->33293 33559 410411 RegOpenKeyExA 33408->33559 33410 402feb 33411 402ff8 memset 33410->33411 33412 40311e 33410->33412 33560 4104d7 RegEnumKeyExA 33411->33560 33412->33297 33414 403025 33415 403114 RegCloseKey 33414->33415 33416 410493 3 API calls 33414->33416 33419 403094 memset 33414->33419 33421 4030eb RegCloseKey 33414->33421 33423 4104d7 RegEnumKeyExA 33414->33423 33563 402da5 26 API calls 33414->33563 33415->33412 33417 40304a memset sprintf 33416->33417 33561 410411 RegOpenKeyExA 33417->33561 33562 4104d7 RegEnumKeyExA 33419->33562 33421->33414 33423->33414 33425 4032c7 33424->33425 33426 40339b 33424->33426 33564 4021ad memset 33425->33564 33439 4034d6 memset memset 33426->33439 33428 4032d3 33565 403158 strlen GetPrivateProfileStringA strchr strlen memcpy 33428->33565 33430 4032dc 33431 4032ea memset GetPrivateProfileSectionA 33430->33431 33566 4023d7 16 API calls 33430->33566 33431->33426 33436 403321 33431->33436 33433 40338d strlen 33433->33426 33433->33436 33435 403342 strchr 33435->33436 33436->33426 33436->33433 33567 4021ad memset 33436->33567 33568 403158 strlen GetPrivateProfileStringA strchr strlen memcpy 33436->33568 33569 4023d7 16 API calls 33436->33569 33440 410493 3 API calls 33439->33440 33441 403531 33440->33441 33442 403571 33441->33442 33443 403538 _mbscpy 33441->33443 33447 403977 33442->33447 33570 406af3 strlen _mbscat 33443->33570 33445 403557 _mbscat 33571 4033e2 19 API calls 33445->33571 33572 404666 _mbscpy 33447->33572 33451 40399c 33453 4039f1 33451->33453 33573 40edd5 memset memset 33451->33573 33594 40f057 33451->33594 33610 4038da 21 API calls 33451->33610 33454 404780 FreeLibrary 33453->33454 33455 4039fd 33454->33455 33456 4037bc memset memset 33455->33456 33618 443a35 memset 33456->33618 33459 4038d4 33459->33307 33522 40eca9 303 API calls 33459->33522 33461 403820 33462 406ca4 2 API calls 33461->33462 33463 403835 33462->33463 33464 406ca4 2 API calls 33463->33464 33465 403847 strchr 33464->33465 33466 403876 _mbscpy 33465->33466 33467 403889 strlen 33465->33467 33468 4038b1 _mbscpy 33466->33468 33467->33468 33469 403896 sprintf 33467->33469 33630 4023d7 16 API calls 33468->33630 33469->33468 33472 4446d0 33471->33472 33473 40f488 RegOpenKeyExA 33472->33473 33474 40f4b3 RegOpenKeyExA 33473->33474 33475 403e6c 33473->33475 33476 40f5a5 RegCloseKey 33474->33476 33477 40f4cd RegQueryValueExA 33474->33477 33485 40f2e4 33475->33485 33476->33475 33478 40f59b RegCloseKey 33477->33478 33479 40f4fc 33477->33479 33478->33476 33480 40472f 3 API calls 33479->33480 33481 40f509 33480->33481 33481->33478 33482 40f591 LocalFree 33481->33482 33483 40f555 memcpy memcpy 33481->33483 33482->33478 33635 40f177 11 API calls 33483->33635 33486 406e4c GetVersionExA 33485->33486 33487 40f305 33486->33487 33488 4045d6 7 API calls 33487->33488 33492 40f321 33488->33492 33489 40f45e 33490 404651 FreeLibrary 33489->33490 33491 403e72 33490->33491 33497 4437d7 memset 33491->33497 33492->33489 33493 40f38b memset WideCharToMultiByte 33492->33493 33493->33492 33494 40f3bb _strnicmp 33493->33494 33494->33492 33495 40f3d3 WideCharToMultiByte 33494->33495 33495->33492 33496 40f400 WideCharToMultiByte 33495->33496 33496->33492 33498 41072b 9 API calls 33497->33498 33499 443816 33498->33499 33636 40732d strlen strlen 33499->33636 33504 41072b 9 API calls 33505 44383d 33504->33505 33506 40732d 3 API calls 33505->33506 33507 443847 33506->33507 33508 4436ff 65 API calls 33507->33508 33509 443853 memset memset 33508->33509 33510 410493 3 API calls 33509->33510 33511 4438a6 ExpandEnvironmentStringsA strlen 33510->33511 33512 4438e1 _strcmpi 33511->33512 33513 4438d2 33511->33513 33514 403e7e 33512->33514 33515 4438f9 33512->33515 33513->33512 33514->33091 33516 4436ff 65 API calls 33515->33516 33516->33514 33517->33269 33518->33273 33519->33281 33520->33285 33521->33290 33522->33307 33523->33309 33524->33326 33525->33330 33526->33323 33528 40818e 33527->33528 33529 410411 RegOpenKeyExA 33528->33529 33529->33339 33530->33345 33531->33345 33532->33349 33533->33351 33534->33345 33535->33354 33536->33360 33537->33360 33538->33363 33539->33360 33541 404651 FreeLibrary 33540->33541 33542 4045de LoadLibraryA 33541->33542 33543 40464c 33542->33543 33544 4045ef GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33542->33544 33543->33367 33543->33369 33543->33372 33545 404638 33544->33545 33546 404651 FreeLibrary 33545->33546 33547 40463e 33545->33547 33546->33543 33547->33543 33549 403cbf 33548->33549 33550 404657 FreeLibrary 33548->33550 33549->33381 33550->33549 33551->33379 33552->33385 33553->33399 33554->33393 33555->33394 33556->33399 33557->33399 33558->33399 33559->33410 33560->33414 33561->33414 33562->33414 33563->33414 33564->33428 33565->33430 33566->33431 33567->33435 33568->33436 33569->33436 33570->33445 33571->33442 33572->33451 33611 407649 33573->33611 33576 407649 _mbsnbcat 33577 40ef18 RegOpenKeyExA 33576->33577 33578 40ef38 RegQueryValueExA 33577->33578 33579 40f04e 33577->33579 33580 40f045 RegCloseKey 33578->33580 33581 40ef65 33578->33581 33579->33451 33580->33579 33581->33580 33582 40efea 33581->33582 33615 404666 _mbscpy 33581->33615 33582->33580 33616 4012ee strlen 33582->33616 33584 40ef86 33586 40472f 3 API calls 33584->33586 33591 40ef8b 33586->33591 33587 40f013 RegQueryValueExA 33587->33580 33588 40f036 33587->33588 33588->33580 33589 40efdf 33590 404780 FreeLibrary 33589->33590 33590->33582 33591->33589 33592 40efd6 LocalFree 33591->33592 33593 40efba memcpy 33591->33593 33592->33589 33593->33592 33617 404666 _mbscpy 33594->33617 33596 40f06f 33597 4045d6 7 API calls 33596->33597 33598 40f07d 33597->33598 33599 40f157 33598->33599 33600 40472f 3 API calls 33598->33600 33601 404651 FreeLibrary 33599->33601 33605 40f08a 33600->33605 33602 40f166 33601->33602 33603 404780 FreeLibrary 33602->33603 33604 40f171 33603->33604 33604->33451 33605->33599 33606 40f10c WideCharToMultiByte 33605->33606 33607 40f12d strlen 33606->33607 33608 40f14e LocalFree 33606->33608 33607->33608 33609 40f13d _mbscpy 33607->33609 33608->33599 33609->33608 33610->33451 33612 407675 33611->33612 33613 407656 _mbsnbcat 33612->33613 33614 407679 33612->33614 33613->33612 33614->33576 33615->33584 33616->33587 33617->33596 33631 410411 RegOpenKeyExA 33618->33631 33620 443a6f 33621 40380c 33620->33621 33632 410452 RegQueryValueExA 33620->33632 33621->33459 33629 4021ad memset 33621->33629 33623 443a88 33624 443ac0 RegCloseKey 33623->33624 33633 410452 RegQueryValueExA 33623->33633 33624->33621 33626 443aa5 33626->33624 33634 443d5d 30 API calls 33626->33634 33628 443abe 33628->33624 33629->33461 33630->33459 33631->33620 33632->33623 33633->33626 33634->33628 33635->33482 33637 407358 33636->33637 33638 40734a _mbscat 33636->33638 33639 4436ff 33637->33639 33638->33637 33656 407c2c 33639->33656 33642 44373a 33643 443761 33642->33643 33644 443745 33642->33644 33664 407c87 33642->33664 33645 407c2c 9 API calls 33643->33645 33681 443683 52 API calls 33644->33681 33648 44378d 33645->33648 33647 407c87 9 API calls 33647->33648 33648->33647 33649 4437bb 33648->33649 33654 4436ff 65 API calls 33648->33654 33674 407bf1 33648->33674 33678 407d1f 33649->33678 33653 407d1f FindClose 33655 4437d1 33653->33655 33654->33648 33655->33504 33657 407d1f FindClose 33656->33657 33658 407c39 33657->33658 33659 406ca4 2 API calls 33658->33659 33660 407c4c strlen strlen 33659->33660 33661 407c70 33660->33661 33662 407c79 33660->33662 33682 406e81 strlen _mbscat _mbscpy _mbscat 33661->33682 33662->33642 33665 407c92 FindFirstFileA 33664->33665 33666 407cb3 FindNextFileA 33664->33666 33667 407cce 33665->33667 33668 407cd5 strlen strlen 33666->33668 33669 407cc9 33666->33669 33667->33668 33671 407d0e 33667->33671 33668->33671 33672 407d05 33668->33672 33670 407d1f FindClose 33669->33670 33670->33667 33671->33642 33683 406e81 strlen _mbscat _mbscpy _mbscat 33672->33683 33675 407c23 33674->33675 33676 407bfb strcmp 33674->33676 33675->33648 33676->33675 33677 407c12 strcmp 33676->33677 33677->33675 33679 407d32 33678->33679 33680 407d28 FindClose 33678->33680 33679->33653 33680->33679 33681->33642 33682->33662 33683->33671 33684->33108 33685->33103 33686->33114 33687->33115 33688->33121 33689->33118 33690->33113 33916 40420c 12 API calls 33920 409213 10 API calls 33740 411014 15 API calls __fprintf_l 33921 404217 26 API calls 33922 403a18 strlen WriteFile 33741 43f41d 17 API calls 33742 43f022 19 API calls 33925 408e21 7 API calls 33926 411222 RtlEnterCriticalSection 33929 43ee2d 112 API calls 33930 411231 RtlLeaveCriticalSection 33931 403632 21 API calls 33934 413e34 19 API calls 33751 427434 76 API calls 33752 423c3b 19 API calls 33756 405cc1 65 API calls 33758 424852 75 API calls __fprintf_l 33936 4092cb 17 API calls 33937 4442cf _exit _c_exit 33762 43ecc8 18 API calls 33938 408ed5 7 API calls 33940 405edc SetDlgItemTextA GetDlgItemTextA 33767 424852 79 API calls __fprintf_l 33768 424852 76 API calls __fprintf_l 33941 427645 42 API calls 33771 4338e6 15 API calls __fprintf_l 33943 43eae9 149 API calls 33773 4100ec 42 API calls 33774 43e8ed 15 API calls 33775 426ced memset memset memcpy 33944 40c2ef 43 API calls 33945 40def0 9 API calls 33946 403af4 54 API calls 33780 43e8f9 122 API calls __fprintf_l 33947 4016fc NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 33948 4336fd 17 API calls __fprintf_l 33949 403e83 34 API calls 33950 42968a 11 API calls 33951 40da89 42 API calls 33782 425e13 21 API calls 33784 43ec88 119 API calls 33785 426c8e 41 API calls 33952 433a8f 18 API calls 33787 409c8d _strcmpi 33954 44128b memcmp 33959 40aa94 7 API calls 33961 424852 111 API calls __fprintf_l 33962 43f698 21 API calls 33967 4276ad 47 API calls 33968 423ab3 18 API calls __fprintf_l 33970 43f2b7 17 API calls 33800 43f4ba 18 API calls 33971 424852 85 API calls __fprintf_l 33972 4442bb _XcptFilter 33805 444941 ??3@YAXPAX 33807 424852 77 API calls __fprintf_l 33973 43ef44 20 API calls 33808 42d14a 22 API calls 33974 404348 19 API calls 33809 40b94b 138 API calls 33976 424852 76 API calls __fprintf_l 33977 40c750 59 API calls 33812 414557 memset memset 33813 42523b 79 API calls __fprintf_l 33815 40ad58 30 API calls 33817 44315e 44 API calls 33818 41055b WritePrivateProfileStringA GetPrivateProfileStringA 33981 413f5c 18 API calls 33983 43f361 134 API calls 33822 440162 17 API calls 33823 444963 FreeLibrary 33825 429d69 memcpy __allrem 33984 40176b ExitProcess 33986 43eb6e 17 API calls 33827 437972 110 API calls __fprintf_l 33828 405972 40 API calls 33988 442f71 _mbscpy 33830 403577 20 API calls 33696 44497b 33697 444984 ??3@YAXPAX 33696->33697 33698 44498b 33696->33698 33697->33698 33699 444994 ??3@YAXPAX 33698->33699 33700 44499b 33698->33700 33699->33700 33701 4449a4 ??3@YAXPAX 33700->33701 33702 4449ab 33700->33702 33701->33702 33703 4449b4 ??3@YAXPAX 33702->33703 33704 4449bb 33702->33704 33703->33704 33835 444905 _onexit __dllonexit 33836 43ed07 20 API calls 32776 410507 32779 4103e0 32776->32779 32778 410527 32780 4103ec 32779->32780 32781 4103fe GetPrivateProfileIntA 32779->32781 32784 4102f8 memset _itoa WritePrivateProfileStringA 32780->32784 32781->32778 32783 4103f9 32783->32778 32784->32783 33990 415b07 memcpy memcpy memcpy memcpy 33991 40af07 8 API calls 33839 414d0c 22 API calls __fprintf_l 33840 433513 19 API calls __fprintf_l 33995 424852 83 API calls __fprintf_l 33844 40a117 memset sprintf SendMessageA 33996 40c319 125 API calls 33997 40b31a memset memset _mbsicmp 33846 410d1d 18 API calls 2 library calls 34001 441727 38 API calls 33848 433126 16 API calls __fprintf_l 34003 42732a 24 API calls 33850 426928 CloseHandle memset memset 34006 405f2b 12 API calls 34008 42df2e 127 API calls __fprintf_l 32757 410531 32760 410344 32757->32760 32761 410351 32760->32761 32762 410398 memset GetPrivateProfileStringA 32761->32762 32763 41035f memset 32761->32763 32768 4073d5 strlen 32762->32768 32773 40735c sprintf memcpy 32763->32773 32766 410381 WritePrivateProfileStringA 32767 4103da 32766->32767 32769 4073e9 32768->32769 32770 4073eb 32768->32770 32769->32767 32772 407432 32770->32772 32774 40710b strtoul 32770->32774 32772->32767 32773->32766 32774->32770 34009 43f332 133 API calls 34011 418f35 61 API calls 34013 425e13 109 API calls __fprintf_l 33857 411136 InterlockedCompareExchange RtlInitializeCriticalSection 33859 425e13 19 API calls 33863 440132 34 API calls 33865 4111c1 RtlInitializeCriticalSection memset 34018 4157c8 16 API calls __fprintf_l 34020 43f3ce 138 API calls 33868 4275cd 44 API calls 34022 424852 108 API calls __fprintf_l 34024 42dbd4 18 API calls __fprintf_l 33871 40c5d8 18 API calls 34025 432bda 16 API calls __fprintf_l 34026 43ebd9 22 API calls 33691 4105dd FindResourceA 33692 4105f6 SizeofResource 33691->33692 33693 410620 33691->33693 33692->33693 33694 410607 LoadResource 33692->33694 33694->33693 33695 410615 LockResource 33694->33695 33695->33693 34029 4013de 15 API calls 34032 424852 76 API calls __fprintf_l 33875 4141e7 15 API calls 34034 43ebdd 25 API calls 34035 43efec 18 API calls 34037 443ff5 _onexit 33877 4021f6 14 API calls 34039 427bfb 36 API calls 33879 433982 16 API calls 33881 411182 InterlockedCompareExchange RtlDeleteCriticalSection 34042 412786 _endthreadex 33882 401591 8 API calls 34045 432b91 15 API calls 34046 43eb91 17 API calls 33885 410597 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34047 43ff95 20 API calls 34048 42af9d 31 API calls 34049 424852 119 API calls __fprintf_l 34051 4143a4 18 API calls 34054 409fae 12 API calls 33890 419db5 42 API calls 34055 4167b5 memset __fprintf_l 34056 4293b4 10 API calls 33891 40f5b8 70 API calls 33893 4375b9 22 API calls 34061 4243bd 15 API calls __fprintf_l

                                                                                                    Executed Functions

                                                                                                    Function 00408043 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 129 408043-40818c memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 4081c2-4081c5 129->130 131 40818e 129->131 133 4081f6-4081fa 130->133 134 4081c7-4081d0 130->134 132 408194-40819d 131->132 135 4081a4-4081c0 132->135 136 40819f-4081a3 132->136 137 4081d2-4081d6 134->137 138 4081d7-4081f4 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004080A5
                                                                                                    • memset.MSVCRT ref: 004080B9
                                                                                                    • memset.MSVCRT ref: 004080D3
                                                                                                    • memset.MSVCRT ref: 004080E8
                                                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 0040810A
                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 0040811E
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
                                                                                                    • strlen.MSVCRT ref: 0040815B
                                                                                                    • strlen.MSVCRT ref: 0040816A
                                                                                                    • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040817C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                    • String ID: 5$H$O$b$i$}$}
                                                                                                    • API String ID: 1832431107-3760989150
                                                                                                    • Opcode ID: 282d28ced94b0fcaa9e4670a9559102abf7cd8878a85da3a2d842f9bb15e03e3
                                                                                                    • Instruction ID: 839b780f30062d9b3c48c7c4bb1edbc251b0819f5d773de0f2740150403ea89f
                                                                                                    • Opcode Fuzzy Hash: 282d28ced94b0fcaa9e4670a9559102abf7cd8878a85da3a2d842f9bb15e03e3
                                                                                                    • Instruction Fuzzy Hash: D151D771C0025DAEDB11CBA8CC41BEEBBBCEF49314F0441EAE555AA182D3389B45CB65
                                                                                                    Function 00407C87 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 451 407c87-407c90 452 407c92-407cb1 FindFirstFileA 451->452 453 407cb3-407cc7 FindNextFileA 451->453 454 407cce-407cd3 452->454 455 407cd5-407d03 strlen * 2 453->455 456 407cc9 call 407d1f 453->456 454->455 458 407d18-407d1e 454->458 459 407d12 455->459 460 407d05-407d10 call 406e81 455->460 456->454 462 407d15-407d17 459->462 460->462 462->458
                                                                                                    APIs
                                                                                                    • FindFirstFileA.KERNELBASE(?,?,?,?,0044375D,*.oeaccount,.8D,?,00000104), ref: 00407C9D
                                                                                                    • FindNextFileA.KERNELBASE(?,?,?,?,0044375D,*.oeaccount,.8D,?,00000104), ref: 00407CBB
                                                                                                    • strlen.MSVCRT ref: 00407CEB
                                                                                                    • strlen.MSVCRT ref: 00407CF3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFindstrlen$FirstNext
                                                                                                    • String ID: .8D
                                                                                                    • API String ID: 379999529-2881260426
                                                                                                    • Opcode ID: 2f23431672a170874dff748454bcf8ed33e684267fdc211879dee5067ff0ed53
                                                                                                    • Instruction ID: eb3e2fb57be8f0c3c515892a2c877e6408fe4d7e79a86a2feb9bdace6263c32c
                                                                                                    • Opcode Fuzzy Hash: 2f23431672a170874dff748454bcf8ed33e684267fdc211879dee5067ff0ed53
                                                                                                    • Instruction Fuzzy Hash: 2F11A072909201AFE3109B38D844AEB73DCEF45325F600A2FF05AE31C1EB38A9409729
                                                                                                    Function 00401E60 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00401E82
                                                                                                    • strlen.MSVCRT ref: 00401E9B
                                                                                                    • strlen.MSVCRT ref: 00401EA9
                                                                                                    • strlen.MSVCRT ref: 00401EEF
                                                                                                    • strlen.MSVCRT ref: 00401EFD
                                                                                                    • memset.MSVCRT ref: 00401FA8
                                                                                                    • atoi.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401FD7
                                                                                                    • memset.MSVCRT ref: 00401FFA
                                                                                                    • sprintf.MSVCRT ref: 00402027
                                                                                                      • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                    • memset.MSVCRT ref: 0040207D
                                                                                                    • memset.MSVCRT ref: 00402092
                                                                                                    • strlen.MSVCRT ref: 00402098
                                                                                                    • strlen.MSVCRT ref: 004020A6
                                                                                                    • strlen.MSVCRT ref: 004020D9
                                                                                                    • strlen.MSVCRT ref: 004020E7
                                                                                                    • memset.MSVCRT ref: 0040200F
                                                                                                      • Part of subcall function 00406E81: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,0040210D,00000000,nss3.dll), ref: 00406E89
                                                                                                      • Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98
                                                                                                    • _mbscpy.MSVCRT(?,00000000), ref: 0040216E
                                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402178
                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00402193
                                                                                                      • Part of subcall function 00406D1F: GetFileAttributesA.KERNELBASE(?,004093E6,?,0040949C,00000000,?,00000000,00000104,?), ref: 00406D23
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                                    • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                    • API String ID: 1846531875-4223776976
                                                                                                    • Opcode ID: 2efd86300e024d6efc85e43d3be0f7cfad0c6c216968d69824029d12e6def614
                                                                                                    • Instruction ID: f32954dd371ee46ce489a3e15048bba03ea5248cf67d2e34683548b394895fb7
                                                                                                    • Opcode Fuzzy Hash: 2efd86300e024d6efc85e43d3be0f7cfad0c6c216968d69824029d12e6def614
                                                                                                    • Instruction Fuzzy Hash: CA91D772804118AAEB21E7A1CC46FDF77BC9F54315F1400BBF608F2182EB789B858B59
                                                                                                    Function 0040CC66 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 00404A94: LoadLibraryA.KERNEL32(comctl32.dll,74DF0A60,?,00000000,?,?,?,0040CC82,74DF0A60), ref: 00404AB3
                                                                                                      • Part of subcall function 00404A94: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404AC5
                                                                                                      • Part of subcall function 00404A94: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CC82,74DF0A60), ref: 00404AD9
                                                                                                      • Part of subcall function 00404A94: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B04
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040CEB2
                                                                                                    • DeleteObject.GDI32(?), ref: 0040CEC8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                    • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                    • API String ID: 745651260-375988210
                                                                                                    • Opcode ID: d159c141ab375b31669b0f8ca971d6aceb4ec9b184042863a5891b2f64bfe083
                                                                                                    • Instruction ID: 177dcc30e6d6fe1e6f6b961e060c6fa8e32a60297cdf5fc43279ddd28c1616a1
                                                                                                    • Opcode Fuzzy Hash: d159c141ab375b31669b0f8ca971d6aceb4ec9b184042863a5891b2f64bfe083
                                                                                                    • Instruction Fuzzy Hash: 3661A075408341DBDB20AFA1DC88A9FB7F8BF85305F00093FF545A21A2DB789904CB5A
                                                                                                    Function 00403C03 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 00410166: FreeLibrary.KERNELBASE(?,0041019A,?,?,?,?,?,?,004041AC), ref: 00410172
                                                                                                    • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C22
                                                                                                    • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C37
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 00403E41
                                                                                                    Strings
                                                                                                    • pstorec.dll, xrefs: 00403C1D
                                                                                                    • PStoreCreateInstance, xrefs: 00403C31
                                                                                                    • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CE8
                                                                                                    • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C7D
                                                                                                    • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CC3
                                                                                                    • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D2F
                                                                                                    • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D28
                                                                                                    • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403D91
                                                                                                    • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D5B
                                                                                                    • www.google.com:443/Please log in to your Google Account, xrefs: 00403C91
                                                                                                    • www.google.com/Please log in to your Google Account, xrefs: 00403C87
                                                                                                    • www.google.com/Please log in to your Gmail account, xrefs: 00403C73
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                    • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                    • API String ID: 1197458902-317895162
                                                                                                    • Opcode ID: 16d710c2c8ef2909cf8acda35180550ae954c7b9d514cc6f7f92b078fa630212
                                                                                                    • Instruction ID: 8c3092e028ed30b7bcb0bf0438431f6e947b4810b401e401bf51def59c6c6aaf
                                                                                                    • Opcode Fuzzy Hash: 16d710c2c8ef2909cf8acda35180550ae954c7b9d514cc6f7f92b078fa630212
                                                                                                    • Instruction Fuzzy Hash: 5C51A571600615B6E714AF71CD86FEAB76CAF00709F20053FF904B61C2DBBDBA5486A9
                                                                                                    Function 00444ADF Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 118COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 231 444adf-444af0 call 44431c GetModuleHandleA 235 44414c-444157 231->235 236 44416b-4441e4 __set_app_type __p__fmode __p__commode call 444318 231->236 235->236 237 444159-444169 235->237 242 4441e6-4441f1 __setusermatherr 236->242 243 4441f2-44424c call 444306 _initterm __getmainargs _initterm 236->243 237->236 242->243 246 44424e-444256 243->246 247 44425c-44425f 246->247 248 444258-44425a 246->248 249 444265-444269 247->249 250 444261-444262 247->250 248->246 248->247 251 44426f-4442aa GetStartupInfoA GetModuleHandleA call 40cc66 249->251 252 44426b-44426d 249->252 250->249 257 4442b3-4442f3 _cexit call 444355 251->257 258 4442ac-4442ad exit 251->258 252->250 252->251 258->257
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                    • String ID: hlTD
                                                                                                    • API String ID: 3662548030-830287725
                                                                                                    • Opcode ID: d2f9e34a6daa6130ac9faae0f9db23f6a763f7d310838b0197020a12fa21bb50
                                                                                                    • Instruction ID: 40ad7b0c00f2311c165bc909df396f0d9a91af47b9cdc4b75167da6d31c8b263
                                                                                                    • Opcode Fuzzy Hash: d2f9e34a6daa6130ac9faae0f9db23f6a763f7d310838b0197020a12fa21bb50
                                                                                                    • Instruction Fuzzy Hash: E541A374D00B149FEB209FA4DC497AE7B74BB85756B20016BF851A72A3C7B88C81CB5C
                                                                                                    Function 0040F478 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 262 40f478-40f4ad call 4446d0 RegOpenKeyExA 265 40f4b3-40f4c7 RegOpenKeyExA 262->265 266 40f5af-40f5b5 262->266 267 40f5a5-40f5a9 RegCloseKey 265->267 268 40f4cd-40f4f6 RegQueryValueExA 265->268 267->266 269 40f59b-40f59f RegCloseKey 268->269 270 40f4fc-40f50b call 40472f 268->270 269->267 270->269 273 40f511-40f549 call 4047a0 270->273 273->269 276 40f54b-40f553 273->276 277 40f591-40f595 LocalFree 276->277 278 40f555-40f58c memcpy * 2 call 40f177 276->278 277->269 278->277
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4A9
                                                                                                    • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4C3
                                                                                                    • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E6C,?), ref: 0040F4EE
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E6C,?), ref: 0040F59F
                                                                                                      • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                      • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                    • memcpy.MSVCRT(?,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,00001000,?,?,?,?,?,00403E6C,?), ref: 0040F55C
                                                                                                    • memcpy.MSVCRT(?,?,?), ref: 0040F571
                                                                                                      • Part of subcall function 0040F177: RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
                                                                                                      • Part of subcall function 0040F177: memset.MSVCRT ref: 0040F1BF
                                                                                                      • Part of subcall function 0040F177: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
                                                                                                      • Part of subcall function 0040F177: RegCloseKey.ADVAPI32(?), ref: 0040F2D4
                                                                                                    • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E6C,?), ref: 0040F595
                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E6C,?), ref: 0040F5A9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                    • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                                                    • API String ID: 2768085393-1693574875
                                                                                                    • Opcode ID: fbe27986f187398f0f6099073cdbbb7c8c5267cb5e8994caa430772f60085481
                                                                                                    • Instruction ID: 1e95abdde633212bff99c09de4f86b0a88236e9255236bdff490daf84838ddbe
                                                                                                    • Opcode Fuzzy Hash: fbe27986f187398f0f6099073cdbbb7c8c5267cb5e8994caa430772f60085481
                                                                                                    • Instruction Fuzzy Hash: 3F316FB2108305BFD710DF51DC80D9BB7ECEB89758F00093AFA84E2151D734D9198BAA
                                                                                                    Function 004437D7 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004437F8
                                                                                                      • Part of subcall function 0040732D: strlen.MSVCRT ref: 0040732F
                                                                                                      • Part of subcall function 0040732D: strlen.MSVCRT ref: 0040733A
                                                                                                      • Part of subcall function 0040732D: _mbscat.MSVCRT ref: 00407351
                                                                                                      • Part of subcall function 0041072B: memset.MSVCRT ref: 00410780
                                                                                                      • Part of subcall function 0041072B: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004107E9
                                                                                                      • Part of subcall function 0041072B: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 004107F7
                                                                                                    • memset.MSVCRT ref: 00443866
                                                                                                    • memset.MSVCRT ref: 00443881
                                                                                                      • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004438BA
                                                                                                    • strlen.MSVCRT ref: 004438C8
                                                                                                    • _strcmpi.MSVCRT ref: 004438EE
                                                                                                    Strings
                                                                                                    • Software\Microsoft\Windows Live Mail, xrefs: 00443897
                                                                                                    • \Microsoft\Windows Mail, xrefs: 00443816
                                                                                                    • Store Root, xrefs: 00443892
                                                                                                    • \Microsoft\Windows Live Mail, xrefs: 0044383D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                                    • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                    • API String ID: 832325562-2578778931
                                                                                                    • Opcode ID: 6fc0dee76c051778cb740bd7e53ebdb0f4a90b1cda5d9aa213cda3ff8e9e6b3c
                                                                                                    • Instruction ID: 024f477f45f6e85a7703d2448ebd5bdc30730893e4efb81a5a52e1788c76f972
                                                                                                    • Opcode Fuzzy Hash: 6fc0dee76c051778cb740bd7e53ebdb0f4a90b1cda5d9aa213cda3ff8e9e6b3c
                                                                                                    • Instruction Fuzzy Hash: 723166B2508344AAF320FB99DC47FCB77DC9B88715F14441FF648D7182EA78964487AA
                                                                                                    Function 0040EDD5 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 301 40edd5-40ef32 memset * 2 call 407649 * 2 RegOpenKeyExA 306 40ef38-40ef5f RegQueryValueExA 301->306 307 40f04e-40f054 301->307 308 40f045-40f048 RegCloseKey 306->308 309 40ef65-40ef69 306->309 308->307 309->308 310 40ef6f-40ef79 309->310 311 40ef7b-40ef8d call 404666 call 40472f 310->311 312 40efec 310->312 322 40efdf-40efea call 404780 311->322 323 40ef8f-40efb3 call 4047a0 311->323 313 40efef-40eff2 312->313 313->308 315 40eff4-40f034 call 4012ee RegQueryValueExA 313->315 315->308 321 40f036-40f044 315->321 321->308 322->313 323->322 328 40efb5-40efb8 323->328 329 40efd6-40efd9 LocalFree 328->329 330 40efba-40efcf memcpy 328->330 329->322 330->329
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040EEDC
                                                                                                    • memset.MSVCRT ref: 0040EEF4
                                                                                                      • Part of subcall function 00407649: _mbsnbcat.MSVCRT ref: 00407669
                                                                                                    • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040EF2A
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040EF57
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F02C
                                                                                                      • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                                                                                      • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                      • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                    • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040EFC7
                                                                                                    • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040EFD9
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F048
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 2012582556-3916222277
                                                                                                    • Opcode ID: c56697a3f4471c298e0a90d4e79b27395d285dc68c8174379ef999514247f8f1
                                                                                                    • Instruction ID: 747b8e804c7bbb21ad1dd8da88f93546a58f2d2a8080c646c51fe7008e5948b4
                                                                                                    • Opcode Fuzzy Hash: c56697a3f4471c298e0a90d4e79b27395d285dc68c8174379ef999514247f8f1
                                                                                                    • Instruction Fuzzy Hash: 83811E618087CB9ECB21DBBC8C445DDBF745F17234F0843A9E5B47A2E2D3245A46C7AA
                                                                                                    Function 004037BC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 331 4037bc-40380e memset * 2 call 443a35 334 4038d4-4038d7 331->334 335 403814-403874 call 4021ad call 406ca4 * 2 strchr 331->335 342 403876-403887 _mbscpy 335->342 343 403889-403894 strlen 335->343 344 4038b1-4038cf _mbscpy call 4023d7 342->344 343->344 345 403896-4038ae sprintf 343->345 344->334 345->344
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004037DD
                                                                                                    • memset.MSVCRT ref: 004037F1
                                                                                                      • Part of subcall function 00443A35: memset.MSVCRT ref: 00443A57
                                                                                                      • Part of subcall function 00443A35: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00443AC3
                                                                                                      • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                                                                                      • Part of subcall function 00406CA4: memcpy.MSVCRT(?,00401CA0,00000000,00000000,00401CA0,00000001,00000104,?,?,?,?,?,00000000), ref: 00406CBE
                                                                                                    • strchr.MSVCRT ref: 00403860
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040387D
                                                                                                    • strlen.MSVCRT ref: 00403889
                                                                                                    • sprintf.MSVCRT ref: 004038A9
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038BF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                                                                    • String ID: %s@yahoo.com
                                                                                                    • API String ID: 317221925-3288273942
                                                                                                    • Opcode ID: d60bca720589179ecaba888acfb06c659ae8ca2e8fa3040f7b3a2b52ee5dbe9d
                                                                                                    • Instruction ID: 0355cd0d48ae578dfdfe4a6cbfa0b9af13deca75d91fcedaec1ea3361aee035e
                                                                                                    • Opcode Fuzzy Hash: d60bca720589179ecaba888acfb06c659ae8ca2e8fa3040f7b3a2b52ee5dbe9d
                                                                                                    • Instruction Fuzzy Hash: D0215773D0412C5EEB21EA55DD41BDA77ACDF45308F0000EBB648F6081E6789F588F55
                                                                                                    Function 004034D6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 347 4034d6-403536 memset * 2 call 410493 350 403572-403574 347->350 351 403538-403571 _mbscpy call 406af3 _mbscat call 4033e2 347->351 351->350
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004034F6
                                                                                                    • memset.MSVCRT ref: 0040350C
                                                                                                      • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                    • _mbscpy.MSVCRT(00000000,00000000), ref: 00403547
                                                                                                      • Part of subcall function 00406AF3: strlen.MSVCRT ref: 00406AF4
                                                                                                      • Part of subcall function 00406AF3: _mbscat.MSVCRT ref: 00406B0B
                                                                                                    • _mbscat.MSVCRT ref: 0040355F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                                                    • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                    • API String ID: 3071782539-966475738
                                                                                                    • Opcode ID: 54c8bbf3eb8d0466f411e99308dc44d2159ae764936348353c897a0f1e8016fc
                                                                                                    • Instruction ID: 06cca456285af6d778403e239192c4ceeddf5a100a2cf1fec545289e95a886a3
                                                                                                    • Opcode Fuzzy Hash: 54c8bbf3eb8d0466f411e99308dc44d2159ae764936348353c897a0f1e8016fc
                                                                                                    • Instruction Fuzzy Hash: 6901F07294412866EB20F2658C46FCB7A5C9B65705F0000B7BA49F20C3D9F86BD486A9
                                                                                                    Function 0040C9F7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 356 40c9f7-40ca26 ??2@YAPAXI@Z 357 40ca28-40ca2d 356->357 358 40ca2f 356->358 359 40ca31-40ca44 ??2@YAPAXI@Z 357->359 358->359 360 40ca46-40ca4d call 40400d 359->360 361 40ca4f 359->361 363 40ca51-40ca77 360->363 361->363 365 40ca86-40caf9 call 406e26 call 4019b4 memset LoadIconA call 4019b4 _mbscpy 363->365 366 40ca79-40ca80 DeleteObject 363->366 366->365
                                                                                                    APIs
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000), ref: 0040CA1E
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(000012EC,00000000), ref: 0040CA3C
                                                                                                    • DeleteObject.GDI32(?), ref: 0040CA7A
                                                                                                    • memset.MSVCRT ref: 0040CAB6
                                                                                                    • LoadIconA.USER32(00000065), ref: 0040CAC6
                                                                                                    • _mbscpy.MSVCRT(?,00000000,?,00000000), ref: 0040CAE4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2054149589-0
                                                                                                    • Opcode ID: ba951af192373a64cb311b94f1ad91644426618c8637830695619166661b1ba1
                                                                                                    • Instruction ID: 30546b7ffc0c4dd123ee27c8339ba671db17b069e44cca125f5e111fbf26b461
                                                                                                    • Opcode Fuzzy Hash: ba951af192373a64cb311b94f1ad91644426618c8637830695619166661b1ba1
                                                                                                    • Instruction Fuzzy Hash: D22190B5900324DBDB10EF648CC97D97BA8AB44705F1445BBEE08EF296D7B849408BA9
                                                                                                    Function 00444A4E Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 373 444a4e-444a55 GetModuleHandleA 374 444a95 373->374 375 444a57-444a64 call 444a6b 373->375 377 444a97-444a9b 374->377 381 444ad5-444ad6 375->381 382 444a66 375->382 379 444a9d-444aa5 GetModuleHandleA 377->379 380 444ada call 444adf 377->380 384 444aa7-444aaf 379->384 385 444ace-444ad4 381->385 386 444ad8 381->386 387 444acd 382->387 388 444a68-444a73 GetProcAddress 382->388 384->384 389 444ab1-444ab4 384->389 385->381 386->389 387->385 388->374 392 444a75-444a82 VirtualProtect 388->392 389->377 390 444ab6-444ab8 389->390 393 444abe-444ac6 390->393 394 444aba-444abc 390->394 395 444a94 392->395 396 444a84-444a92 VirtualProtect 392->396 397 444ac7-444ac8 GetProcAddress 393->397 394->397 395->374 396->395 397->387
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00444A45), ref: 00444A4E
                                                                                                    • GetModuleHandleA.KERNEL32(?,00444A45), ref: 00444AA0
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444AC8
                                                                                                      • Part of subcall function 00444A6B: GetProcAddress.KERNEL32(00000000,00444A5C), ref: 00444A6C
                                                                                                      • Part of subcall function 00444A6B: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00444A5C,00444A45), ref: 00444A7E
                                                                                                      • Part of subcall function 00444A6B: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00444A5C,00444A45), ref: 00444A92
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 2099061454-0
                                                                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                    • Instruction ID: 64d8077581e7bfcf5b5a7686d9ec621b59dbeaea1ec513f5aad7139115001ce4
                                                                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                    • Instruction Fuzzy Hash: 2C012D015C564139FB20A6F50C02BBB5F8D8AD7364B181B4BF150F7293D99C8D16937E
                                                                                                    Function 00408344 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 00408043: memset.MSVCRT ref: 004080A5
                                                                                                      • Part of subcall function 00408043: memset.MSVCRT ref: 004080B9
                                                                                                      • Part of subcall function 00408043: memset.MSVCRT ref: 004080D3
                                                                                                      • Part of subcall function 00408043: memset.MSVCRT ref: 004080E8
                                                                                                      • Part of subcall function 00408043: GetComputerNameA.KERNEL32(?,?), ref: 0040810A
                                                                                                      • Part of subcall function 00408043: GetUserNameA.ADVAPI32(?,?), ref: 0040811E
                                                                                                      • Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
                                                                                                      • Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
                                                                                                      • Part of subcall function 00408043: strlen.MSVCRT ref: 0040815B
                                                                                                      • Part of subcall function 00408043: strlen.MSVCRT ref: 0040816A
                                                                                                      • Part of subcall function 00408043: memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040817C
                                                                                                      • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004107BA,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410424
                                                                                                    • memset.MSVCRT ref: 00408392
                                                                                                      • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                                                                                    • memset.MSVCRT ref: 004083E3
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00408421
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00408448
                                                                                                    Strings
                                                                                                    • Software\Google\Google Talk\Accounts, xrefs: 00408363
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                                                                                    • String ID: Software\Google\Google Talk\Accounts
                                                                                                    • API String ID: 2959138223-1079885057
                                                                                                    • Opcode ID: d775ac8ba569fd5f9c268c161b920f0f986bb662fffb9e6d05309f5eaf26b962
                                                                                                    • Instruction ID: c6fde65740424625f6a31d6a262b66ef11e3a8462d59295f471bfbb40e3c967b
                                                                                                    • Opcode Fuzzy Hash: d775ac8ba569fd5f9c268c161b920f0f986bb662fffb9e6d05309f5eaf26b962
                                                                                                    • Instruction Fuzzy Hash: 5E2183B100824AAED610DF51DD42EABB7DCEF94344F00043EFA84911A2F675DD5D9BAB
                                                                                                    Function 0040B783 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 422 40b783-40b795 423 40b7e2-40b7f6 call 406a00 422->423 424 40b797-40b7ad call 407baf _mbsicmp 422->424 446 40b7f8 call 410411 423->446 447 40b7f8 call 404780 423->447 448 40b7f8 call 403c03 423->448 449 40b7f8 call 410166 423->449 450 40b7f8 call 40472f 423->450 429 40b7d6-40b7e0 424->429 430 40b7af-40b7c8 call 407baf 424->430 429->423 429->424 435 40b7ca-40b7cd 430->435 436 40b7cf 430->436 431 40b7fb-40b80e call 407bbf 439 40b810-40b81c 431->439 440 40b855-40b864 SetCursor 431->440 438 40b7d0-40b7d1 call 40b340 435->438 436->438 438->429 442 40b833-40b852 qsort 439->442 443 40b81e-40b829 439->443 442->440 443->442 446->431 447->431 448->431 449->431 450->431
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Cursor_mbsicmpqsort
                                                                                                    • String ID: /nosort$/sort
                                                                                                    • API String ID: 882979914-1578091866
                                                                                                    • Opcode ID: 03f769c7a7038f55b0ee9a94e3be9c1bff0b3d406044db847ffe86aee8661350
                                                                                                    • Instruction ID: 59731eef90b6f0024c6c95bb6f71fb6a55e53d5caa10bc7ba91746e522f0a21b
                                                                                                    • Opcode Fuzzy Hash: 03f769c7a7038f55b0ee9a94e3be9c1bff0b3d406044db847ffe86aee8661350
                                                                                                    • Instruction Fuzzy Hash: AF21C4B1704501EFD719AB75C880AA9F3A8FF88314F21013EF419A7292C738B8118B99
                                                                                                    Function 00444A0F Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(?,00444A45), ref: 00444AA0
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444AC8
                                                                                                      • Part of subcall function 00444A4E: GetModuleHandleA.KERNEL32(00444A45), ref: 00444A4E
                                                                                                      • Part of subcall function 00444A4E: GetProcAddress.KERNEL32(00000000,00444A5C), ref: 00444A6C
                                                                                                      • Part of subcall function 00444A4E: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00444A5C,00444A45), ref: 00444A7E
                                                                                                      • Part of subcall function 00444A4E: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00444A5C,00444A45), ref: 00444A92
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 2099061454-0
                                                                                                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                    • Instruction ID: ba634a3ae7870b83a4a63a7f1e5f980291c684f9ee159ca978f4bf55c64cb7ac
                                                                                                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                    • Instruction Fuzzy Hash: 8C21F9521C82826FFB218BB44C017676FD9CBD3364B190A87E040EB243D5AC5856937E
                                                                                                    Function 00444A6B Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetProcAddress.KERNEL32(00000000,00444A5C), ref: 00444A6C
                                                                                                    • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00444A5C,00444A45), ref: 00444A7E
                                                                                                    • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00444A5C,00444A45), ref: 00444A92
                                                                                                    • GetModuleHandleA.KERNEL32(?,00444A45), ref: 00444AA0
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444AC8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                    • String ID:
                                                                                                    • API String ID: 2152742572-0
                                                                                                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                    • Instruction ID: 9d415219164cce1615491981170e8b778fb578cfb811cd04a9329a68800e1f42
                                                                                                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                    • Instruction Fuzzy Hash: DCF0C2412C52817DFB2195F50C42BBB4FCC8AE7360B280B47B110EB283D49D8D1693BE
                                                                                                    Function 0041072B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0041067E: LoadLibraryA.KERNEL32(shell32.dll,0040CC91,74DF0A60,?,00000000), ref: 0041068C
                                                                                                      • Part of subcall function 0041067E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004106A1
                                                                                                    • memset.MSVCRT ref: 00410780
                                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004107E9
                                                                                                    • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 004107F7
                                                                                                      • Part of subcall function 00406E4C: GetVersionExA.KERNEL32(00451168,0000001A,00410749,00000104), ref: 00406E66
                                                                                                    Strings
                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0041079B, 004107AB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                    • API String ID: 889583718-2036018995
                                                                                                    • Opcode ID: 041876d30c9f17697d718d1d44db80f9fc8f166af633a4907ba59ef04f65e57b
                                                                                                    • Instruction ID: 55274f9b0d4144c5a5f6b064647028c43f69cf0431b3c32ec78c32e38a1c383e
                                                                                                    • Opcode Fuzzy Hash: 041876d30c9f17697d718d1d44db80f9fc8f166af633a4907ba59ef04f65e57b
                                                                                                    • Instruction Fuzzy Hash: 2811D071C00218FBEB24F6948C85EEF77AC9B15304F1400B7F95161192E6B99ED4CA99
                                                                                                    Function 004105DD Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindResourceA.KERNEL32(?,?,?), ref: 004105EA
                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004105FB
                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 0041060B
                                                                                                    • LockResource.KERNEL32(00000000), ref: 00410616
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                    • String ID:
                                                                                                    • API String ID: 3473537107-0
                                                                                                    • Opcode ID: aa79f82f4ecfd8f7b628c1d7de4cc48f572b3be46360eaed4676304fbba1ef3c
                                                                                                    • Instruction ID: 4a68303d5b5253afd20c9a06ef53f1b3f3171458fb19c91adc6236e38678b247
                                                                                                    • Opcode Fuzzy Hash: aa79f82f4ecfd8f7b628c1d7de4cc48f572b3be46360eaed4676304fbba1ef3c
                                                                                                    • Instruction Fuzzy Hash: 88019636600315AB8F155F65DC4599F7FAAFFD63917088036F909CA361D7B1C891C68C
                                                                                                    Function 00410344 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0041036C
                                                                                                      • Part of subcall function 0040735C: sprintf.MSVCRT ref: 00407394
                                                                                                      • Part of subcall function 0040735C: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 004073A7
                                                                                                    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410390
                                                                                                    • memset.MSVCRT ref: 004103A7
                                                                                                    • GetPrivateProfileStringA.KERNEL32(?,?,0044551F,?,00002000,?), ref: 004103C5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 3143880245-0
                                                                                                    • Opcode ID: 452b48431850dc4cfeda6c40ef1c1e9db479f0d3b12d6eb92d0ce8910a14a719
                                                                                                    • Instruction ID: 9d0f41c8c3888dc292d70de46467aaf9ffb36b28435196f73ffda5293cd27e0f
                                                                                                    • Opcode Fuzzy Hash: 452b48431850dc4cfeda6c40ef1c1e9db479f0d3b12d6eb92d0ce8910a14a719
                                                                                                    • Instruction Fuzzy Hash: B501847280431DBFEF116F60EC89EDB7B79EF04314F1000A6FA08A2052D6759D64DB69
                                                                                                    Function 00406CCE Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • malloc.MSVCRT ref: 00406CEA
                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,74DF0A60,004077D2,00000001,?,00000000,74DF0A60,00407B4C,00000000,?,?), ref: 00406D02
                                                                                                    • free.MSVCRT ref: 00406D0B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: freemallocmemcpy
                                                                                                    • String ID: L{@
                                                                                                    • API String ID: 3056473165-1020677147
                                                                                                    • Opcode ID: d6d4ff0e3f002e5145bea9cf4926563076f35589277d4ac2e4ccecb3b120ec48
                                                                                                    • Instruction ID: 120c5a36fa875b11696935209168df4f9df621bec9a22d80de65970bbd8b26ad
                                                                                                    • Opcode Fuzzy Hash: d6d4ff0e3f002e5145bea9cf4926563076f35589277d4ac2e4ccecb3b120ec48
                                                                                                    • Instruction Fuzzy Hash: 13F0E9727053225FD708EB75B94184B73DDAF84324712482FF505E7282D7389C60CB59
                                                                                                    Function 0044497B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@
                                                                                                    • String ID:
                                                                                                    • API String ID: 613200358-0
                                                                                                    • Opcode ID: dea8053bea9519698d4384faa1004d995cd5135f168310e2c543446b5ccfe19c
                                                                                                    • Instruction ID: 50686d444a9e23a331db2cec4592ac0caeb7afc27ca0d185df797a95cebddf31
                                                                                                    • Opcode Fuzzy Hash: dea8053bea9519698d4384faa1004d995cd5135f168310e2c543446b5ccfe19c
                                                                                                    • Instruction Fuzzy Hash: 70E0E6A170470196BA24ABBFBD55B1723ECAA84B66314092FB508D72B2DF2CD864D52C
                                                                                                    Function 00408AA5 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00008000,00408B35,00409A4F,?,?,?,?,?,00000000,74DF0A60), ref: 00408ACD
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00008000,00408B35,00409A4F,?,?,?,?,?,00000000,74DF0A60), ref: 00408AEB
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408B35,00409A4F,?,?,?,?,?,00000000,74DF0A60), ref: 00408B09
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408B35,00409A4F,?,?,?,?,?,00000000,74DF0A60), ref: 00408B19
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@
                                                                                                    • String ID:
                                                                                                    • API String ID: 1033339047-0
                                                                                                    • Opcode ID: c9d9b14cbc3cffdefcd651bca10b6be545bbad424ff6817e9a729584ede19952
                                                                                                    • Instruction ID: 91b6e48186620c166d1d4af44a265f78501a0d7a4e3c1a8b362a1fb29a74aa2a
                                                                                                    • Opcode Fuzzy Hash: c9d9b14cbc3cffdefcd651bca10b6be545bbad424ff6817e9a729584ede19952
                                                                                                    • Instruction Fuzzy Hash: 17F0F9B5901300AFE7549B3CED0672676E4E75C356F04983FA30A8A2F2EB79C8448B08
                                                                                                    Function 00406E26 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406D65: memset.MSVCRT ref: 00406D6F
                                                                                                      • Part of subcall function 00406D65: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406E3D,Arial,0000000E,00000000), ref: 00406DAF
                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 00406E44
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFontIndirect_mbscpymemset
                                                                                                    • String ID: Arial
                                                                                                    • API String ID: 3853255127-493054409
                                                                                                    • Opcode ID: 1c44140062a8a09da628618e702f5c67d17162cda1b56b1fc17a8be7a0fb16ae
                                                                                                    • Instruction ID: b68263c9f29210b4531b01fb65f498acbd183b68a5d206dac463ad1e531dcf8e
                                                                                                    • Opcode Fuzzy Hash: 1c44140062a8a09da628618e702f5c67d17162cda1b56b1fc17a8be7a0fb16ae
                                                                                                    • Instruction Fuzzy Hash: FFD0C974E4020C67DA10B7A0FC07F49776C5B01705F510421B901B10E2EAA4A15886D9
                                                                                                    Function 0040CB90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00401E60: memset.MSVCRT ref: 00401E82
                                                                                                      • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401E9B
                                                                                                      • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EA9
                                                                                                      • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EEF
                                                                                                      • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EFD
                                                                                                    • _strcmpi.MSVCRT ref: 0040CBE4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: strlen$_strcmpimemset
                                                                                                    • String ID: /stext
                                                                                                    • API String ID: 520177685-3817206916
                                                                                                    • Opcode ID: c906e694df2f1e329c2ad0273a3b26fae1964e0f17262c21461e5f274a22aefa
                                                                                                    • Instruction ID: cdbc65eb55c3596dd52c6b91df7f07afa5e13005eab10b9a6f004d04cd94ae5a
                                                                                                    • Opcode Fuzzy Hash: c906e694df2f1e329c2ad0273a3b26fae1964e0f17262c21461e5f274a22aefa
                                                                                                    • Instruction Fuzzy Hash: CE216271618111DFD35CEB39D8C1A66B3A9FF04314B15427FF41AA7282C738EC118B89
                                                                                                    Function 0040472F Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00404780: FreeLibrary.KERNELBASE(?,?), ref: 00404795
                                                                                                    • LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 145871493-0
                                                                                                    • Opcode ID: 34168eeea590afdd6655235be49c2a8b874ed4aa7e418e211b0f862b96c87c84
                                                                                                    • Instruction ID: 2550b76864eeaa7c500838184e9c491a546ed4ce74a868b02878dd57666eb7ef
                                                                                                    • Opcode Fuzzy Hash: 34168eeea590afdd6655235be49c2a8b874ed4aa7e418e211b0f862b96c87c84
                                                                                                    • Instruction Fuzzy Hash: A5F01BF4600B029FD760AF35E848B9B77E5AF86710F00453EF665E3182D778A545CB58
                                                                                                    Function 004103E0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410407
                                                                                                      • Part of subcall function 004102F8: memset.MSVCRT ref: 00410316
                                                                                                      • Part of subcall function 004102F8: _itoa.MSVCRT ref: 0041032D
                                                                                                      • Part of subcall function 004102F8: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0041033C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 4165544737-0
                                                                                                    • Opcode ID: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
                                                                                                    • Instruction ID: a6fec7de448531cc7e5bdd8bb9ba05dfe42c6da5839e04c605b7484fd2ec2d67
                                                                                                    • Opcode Fuzzy Hash: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
                                                                                                    • Instruction Fuzzy Hash: 23E0BD3204060EBFCF125F80EC05AAA7BA6FF04354F24886AFD6804121D77299F0AB99
                                                                                                    Function 00404780 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNELBASE(?,?), ref: 00404795
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID:
                                                                                                    • API String ID: 3664257935-0
                                                                                                    • Opcode ID: 0080a8822f3c614f9ebefc2abddcc045fe481ba4110b5f37c1852287057a9d03
                                                                                                    • Instruction ID: 32a23a6afe1256adb8d295dcdce629e4b632fcbc5e0d618fa027d99050396328
                                                                                                    • Opcode Fuzzy Hash: 0080a8822f3c614f9ebefc2abddcc045fe481ba4110b5f37c1852287057a9d03
                                                                                                    • Instruction Fuzzy Hash: D7D012714003118FDB609F14FD4CBA173E8AF41312F1504B8E994AB192C3749840CA58
                                                                                                    Function 00406AB8 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,0040AD7B,00000000,00000000,00000000,0044551F,0044551F,?,0040CC56,0044551F), ref: 00406ACA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 1ce9c131fa00a6cba9e51da9fc4262f8f7b5bc2fb1b2ae73e770c5136e6a3475
                                                                                                    • Instruction ID: 174152b0962da7481451d0c07619c80c3ba7c59bd8607505f6d9dddbb6799519
                                                                                                    • Opcode Fuzzy Hash: 1ce9c131fa00a6cba9e51da9fc4262f8f7b5bc2fb1b2ae73e770c5136e6a3475
                                                                                                    • Instruction Fuzzy Hash: 08C012F06503007FFF204B10AC0AF37369DD780700F1044207E00E40E1C2A14C40C524
                                                                                                    Function 00410166 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNELBASE(?,0041019A,?,?,?,?,?,?,004041AC), ref: 00410172
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID:
                                                                                                    • API String ID: 3664257935-0
                                                                                                    • Opcode ID: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
                                                                                                    • Instruction ID: 507e23945262d0460dd2b0da46a8ed0ea94319227dbecdfb5597338915b85de2
                                                                                                    • Opcode Fuzzy Hash: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
                                                                                                    • Instruction Fuzzy Hash: 6EC04C35510B019BEB219B22D949753B7E4AB05316F40C81CA59695451D7BCE494CE18
                                                                                                    Function 00410663 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnumResourceNamesA.KERNEL32(?,?,004105DD,00000000), ref: 00410672
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnumNamesResource
                                                                                                    • String ID:
                                                                                                    • API String ID: 3334572018-0
                                                                                                    • Opcode ID: 11eb8b3ad73b6762afc3db70ccaf6c8089b2cfe60785521265f3d13c2ac885fb
                                                                                                    • Instruction ID: e40f58546d13f5b106010a29914381b046978f91ca1901c00a2019c551bf0e65
                                                                                                    • Opcode Fuzzy Hash: 11eb8b3ad73b6762afc3db70ccaf6c8089b2cfe60785521265f3d13c2ac885fb
                                                                                                    • Instruction Fuzzy Hash: A0C09B31554341A7C701DF108C09F1A7695BB55705F504C297151940A4C7514054DB15
                                                                                                    Function 00407D1F Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindClose.KERNELBASE(?,00407C39,?,?,00000000,.8D,0044373A,*.oeaccount,.8D,?,00000104), ref: 00407D29
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseFind
                                                                                                    • String ID:
                                                                                                    • API String ID: 1863332320-0
                                                                                                    • Opcode ID: fadcbaaacaeb9138fef9dc8452ad8ac79757f966f14a2d9034369e41b7735666
                                                                                                    • Instruction ID: e21386352e8edd65572014a1fcaa83e24a75218a268847cd9e3b74dd15e40f0a
                                                                                                    • Opcode Fuzzy Hash: fadcbaaacaeb9138fef9dc8452ad8ac79757f966f14a2d9034369e41b7735666
                                                                                                    • Instruction Fuzzy Hash: 50C092349109018FD62C9F38DC5A52A77A0BF5A3343B40F6CA0F3D20F0E778A842CA08
                                                                                                    Function 00410411 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004107BA,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410424
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Open
                                                                                                    • String ID:
                                                                                                    • API String ID: 71445658-0
                                                                                                    • Opcode ID: 21d2125e3753e601ca1b20deba59a5865270c48a78257e55b283f3ccc3de6cc0
                                                                                                    • Instruction ID: 9e85f5290c785a84adc9a585aa79e4266a03e2402c05001ad2ac5d5d83fda341
                                                                                                    • Opcode Fuzzy Hash: 21d2125e3753e601ca1b20deba59a5865270c48a78257e55b283f3ccc3de6cc0
                                                                                                    • Instruction Fuzzy Hash: 40C09B39544301BFDE114F40FD05F09BB61BB84F05F504414B244240B182714414EB57
                                                                                                    Function 00406D1F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileAttributesA.KERNELBASE(?,004093E6,?,0040949C,00000000,?,00000000,00000104,?), ref: 00406D23
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188754299-0
                                                                                                    • Opcode ID: 2ea5a109eb267fb6083926362ae3c8176b926bbef034cd1da8757df3be379db2
                                                                                                    • Instruction ID: 1a596b20ff26773e60743876e99a20c5f0c5c53ebb8dbfb842e64d2fd6ed3a7e
                                                                                                    • Opcode Fuzzy Hash: 2ea5a109eb267fb6083926362ae3c8176b926bbef034cd1da8757df3be379db2
                                                                                                    • Instruction Fuzzy Hash: 76B012792108005FCF1807349C4904D35506F45631760073CF033C00F0D720CC60BA00

                                                                                                    Non-executed Functions

                                                                                                    Function 004047C6 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A47,?,?,0040410C,?,?,004041CC), ref: 004047D5
                                                                                                    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047E9
                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptReleaseContext), ref: 004047F5
                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptCreateHash), ref: 00404801
                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptGetHashParam), ref: 0040480D
                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptHashData), ref: 00404819
                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptDestroyHash), ref: 00404825
                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptDecrypt), ref: 00404831
                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptDeriveKey), ref: 0040483D
                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptImportKey), ref: 00404849
                                                                                                    • GetProcAddress.KERNEL32(0045175C,CryptDestroyKey), ref: 00404855
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                    • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                    • API String ID: 2238633743-192783356
                                                                                                    • Opcode ID: cdc1f63c0c232f946f357b8b2aefe836e2e50651c8dba3e6496bd37ee8642a43
                                                                                                    • Instruction ID: 96d911507a8a1b00aef88e3b883ab5eac538cf63a3166b36270edd586bbeed94
                                                                                                    • Opcode Fuzzy Hash: cdc1f63c0c232f946f357b8b2aefe836e2e50651c8dba3e6496bd37ee8642a43
                                                                                                    • Instruction Fuzzy Hash: A501C974940744AFDB31AF769C09E06BEF1EFA97003224D2EE2C553650D77AA010DE49
                                                                                                    Function 00402DA5 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004107BA,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410424
                                                                                                      • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,004107E3,?,?,?,?,004107E3,00000000,?,?), ref: 0041046D
                                                                                                      • Part of subcall function 0041042B: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402928,?,?,?,?,00402928,?,?), ref: 0041044A
                                                                                                      • Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 00402EBC
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?), ref: 00402ECF
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 00402F5C
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?), ref: 00402F69
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402FC3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscpy$QueryValue$CloseOpen
                                                                                                    • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                                                                    • API String ID: 52435246-1534328989
                                                                                                    • Opcode ID: 2665cc72ed58d91ff9308ee517590a1cb7b28409f0a8ebbfaa166c67739115e5
                                                                                                    • Instruction ID: 400a04a5c8efacb9c4641a70875855bf6b7e4888715d32951425251a7c23a99d
                                                                                                    • Opcode Fuzzy Hash: 2665cc72ed58d91ff9308ee517590a1cb7b28409f0a8ebbfaa166c67739115e5
                                                                                                    • Instruction Fuzzy Hash: 575130B1900118BBEF11EB51DD41FEE777CAF04754F5080A7BA0CA6192DBB89B858F98
                                                                                                    Function 00406B9A Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EmptyClipboard.USER32 ref: 00406BA4
                                                                                                      • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00406BC1
                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406BD2
                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00406BDF
                                                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BF2
                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00406C01
                                                                                                    • SetClipboardData.USER32(00000001,00000000), ref: 00406C0A
                                                                                                    • GetLastError.KERNEL32 ref: 00406C12
                                                                                                    • CloseHandle.KERNEL32(?), ref: 00406C1E
                                                                                                    • GetLastError.KERNEL32 ref: 00406C29
                                                                                                    • CloseClipboard.USER32 ref: 00406C32
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                    • String ID:
                                                                                                    • API String ID: 3604893535-0
                                                                                                    • Opcode ID: 1b6e565173029c6444be00b6b2d36f782b825a097f2130a1a97e673a6d3a71af
                                                                                                    • Instruction ID: 428d7c431cb1422a1915013c6704b220f4cf118cce9454ff27e0024ace88079b
                                                                                                    • Opcode Fuzzy Hash: 1b6e565173029c6444be00b6b2d36f782b825a097f2130a1a97e673a6d3a71af
                                                                                                    • Instruction Fuzzy Hash: E2114239904605FFEF105FA4DC4CB9E7FB8EB46755F104035F542E1192DB7489508A69
                                                                                                    Function 00406C3D Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EmptyClipboard.USER32 ref: 00406C45
                                                                                                    • strlen.MSVCRT ref: 00406C52
                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040C0BB,?), ref: 00406C61
                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00406C6E
                                                                                                    • memcpy.MSVCRT(00000000,?,00000001,?,?,?,?,0040C0BB,?), ref: 00406C77
                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00406C80
                                                                                                    • SetClipboardData.USER32(00000001,00000000), ref: 00406C89
                                                                                                    • CloseClipboard.USER32 ref: 00406C99
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3116012682-0
                                                                                                    • Opcode ID: 03be3704cc721547966aa068edf686a4aa83173a8765523f495244e3b1396edf
                                                                                                    • Instruction ID: 8edcd2d2b4f986e571765b3eebb92d88a59871b3330cf63fe52768e208e874e1
                                                                                                    • Opcode Fuzzy Hash: 03be3704cc721547966aa068edf686a4aa83173a8765523f495244e3b1396edf
                                                                                                    • Instruction Fuzzy Hash: 23F0E93B5047186BD7102FA1BC4CE6BBB2CDB86F96B050039FA0AD6253DE755C0447B9
                                                                                                    Function 004033E2 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                    • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                    • API String ID: 3963849919-1658304561
                                                                                                    • Opcode ID: 2d5d1f6d072cf84e5318d5093311add326f10471678b07e4c74f475588d4acf4
                                                                                                    • Instruction ID: 1b90a5eb0bf433dfd26fdc49de6d86aad9c02d214cf5b02dd481862667588e5e
                                                                                                    • Opcode Fuzzy Hash: 2d5d1f6d072cf84e5318d5093311add326f10471678b07e4c74f475588d4acf4
                                                                                                    • Instruction Fuzzy Hash: EF21F47180151C6EDB51EB11DD82FEE777C9B44705F4004ABBA09B1092DBBC6BC68E59
                                                                                                    Function 004016FC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                    • String ID: E$ E$ E
                                                                                                    • API String ID: 1865533344-1090515111
                                                                                                    • Opcode ID: d103da67eb1310c5cb0da91bd2fc58aaf79ad628852ab800fc720c436b93df84
                                                                                                    • Instruction ID: 87a0be596659d04b7e64c8373dbe8b7d58709088cb568d7826d55e868489c559
                                                                                                    • Opcode Fuzzy Hash: d103da67eb1310c5cb0da91bd2fc58aaf79ad628852ab800fc720c436b93df84
                                                                                                    • Instruction Fuzzy Hash: 0E115A74900209EFCF119F90C905AAE3BB1AF08312F00806AFC156B2A2C7799911DFAA
                                                                                                    Function 0044227B Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • strlen.MSVCRT ref: 0044269A
                                                                                                    • strncmp.MSVCRT ref: 004426AA
                                                                                                    • memcpy.MSVCRT(?,00000002,00000000,?,?,?,?), ref: 00442726
                                                                                                    • atoi.MSVCRT(00000000,?,00000002,00000000,?,?,?,?), ref: 00442737
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00442763
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                                                                                                    • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                                                    • API String ID: 1895597112-3210201812
                                                                                                    • Opcode ID: 9acad2382b4fd50a8b7e2f93e5aa20aeec794c15f10aa330bed035e5ecf7ca78
                                                                                                    • Instruction ID: 53082eb74af2b51306e1b07bdc149dea26fd0daa9c3b29582cc647e8b6ddbc01
                                                                                                    • Opcode Fuzzy Hash: 9acad2382b4fd50a8b7e2f93e5aa20aeec794c15f10aa330bed035e5ecf7ca78
                                                                                                    • Instruction Fuzzy Hash: 90F112B080625CDBFB61CF54D9897DEBBB0EB01308F5881CAD4597B251C7B81A89CF99
                                                                                                    Function 0044315E Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                                                                                    • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                                    • API String ID: 1714764973-479759155
                                                                                                    • Opcode ID: 3e744774e1b54c5518bf8e5aac84703aef8afe28786d84d16e7c652b93ffe923
                                                                                                    • Instruction ID: 5e0940cb4a553810ccd5eed58eee7b2aa7af7a3cc246567a3fd24b3687d2e464
                                                                                                    • Opcode Fuzzy Hash: 3e744774e1b54c5518bf8e5aac84703aef8afe28786d84d16e7c652b93ffe923
                                                                                                    • Instruction Fuzzy Hash: AD9191B260C7049AF628BB329D43B9B33D8AF50719F10043FF95AB61C2EE6DB905465D
                                                                                                    Function 0040E417 Relevance: 68.7, APIs: 25, Strings: 14, Instructions: 449COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040E6BB
                                                                                                      • Part of subcall function 0040690E: memset.MSVCRT ref: 00406930
                                                                                                      • Part of subcall function 0040690E: strlen.MSVCRT ref: 0040693B
                                                                                                      • Part of subcall function 0040690E: strlen.MSVCRT ref: 00406949
                                                                                                    • memset.MSVCRT ref: 0040E70C
                                                                                                    • memset.MSVCRT ref: 0040E728
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,%@,000000FF,?,00000104,?,?,?,?,?,?,0040EC25,?,00000000), ref: 0040E73F
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040EC25,?), ref: 0040E75E
                                                                                                    • memset.MSVCRT ref: 0040E7C0
                                                                                                    • memset.MSVCRT ref: 0040E7D5
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040E83A
                                                                                                    • _mbscpy.MSVCRT(?,00000001), ref: 0040E850
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040E866
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040E87C
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040E892
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040E8A8
                                                                                                    • memset.MSVCRT ref: 0040E8C2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                                                                    • String ID: $"$$$$$%@$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                                                                    • API String ID: 3137614212-1813914204
                                                                                                    • Opcode ID: 90435b619fbbbc51a3d17079f0c7549d0f84e3f4b297510e384a0a4db02359a1
                                                                                                    • Instruction ID: 60cbd65c12865ccb94f157c96bc1922d811664869268201cbad442dfa9876f55
                                                                                                    • Opcode Fuzzy Hash: 90435b619fbbbc51a3d17079f0c7549d0f84e3f4b297510e384a0a4db02359a1
                                                                                                    • Instruction Fuzzy Hash: A9228E218087DA9DDB31D6BC9C456CDBF646B16234F0803DAF1E8BB2D2D7344A46CB66
                                                                                                    Function 0040E070 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 279COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040690E: memset.MSVCRT ref: 00406930
                                                                                                      • Part of subcall function 0040690E: strlen.MSVCRT ref: 0040693B
                                                                                                      • Part of subcall function 0040690E: strlen.MSVCRT ref: 00406949
                                                                                                      • Part of subcall function 004086A5: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,0040EC43,?,00000000,?,?,?,?,?,?), ref: 004086C3
                                                                                                      • Part of subcall function 004086A5: CloseHandle.KERNEL32(?,?), ref: 0040870D
                                                                                                      • Part of subcall function 00408763: _mbsicmp.MSVCRT ref: 0040879D
                                                                                                    • memset.MSVCRT ref: 0040E123
                                                                                                    • memset.MSVCRT ref: 0040E138
                                                                                                    • _mbscpy.MSVCRT(?,00000001,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,?), ref: 0040E19F
                                                                                                    • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,?), ref: 0040E1B5
                                                                                                    • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,?), ref: 0040E1CB
                                                                                                    • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,?), ref: 0040E1E1
                                                                                                    • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,?), ref: 0040E1F7
                                                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,?), ref: 0040E20A
                                                                                                    • memset.MSVCRT ref: 0040E225
                                                                                                    • memset.MSVCRT ref: 0040E23C
                                                                                                      • Part of subcall function 00406582: memset.MSVCRT ref: 004065A3
                                                                                                      • Part of subcall function 00406582: memcmp.MSVCRT(?,0044FE98,00000010,?,?,?), ref: 004065CD
                                                                                                    • memset.MSVCRT ref: 0040E29D
                                                                                                    • memset.MSVCRT ref: 0040E2B4
                                                                                                    • memset.MSVCRT ref: 0040E2CB
                                                                                                    • sprintf.MSVCRT ref: 0040E2E6
                                                                                                    • sprintf.MSVCRT ref: 0040E2FB
                                                                                                    • sprintf.MSVCRT ref: 0040E310
                                                                                                    • _strcmpi.MSVCRT ref: 0040E326
                                                                                                    • _strcmpi.MSVCRT ref: 0040E33F
                                                                                                    • _strcmpi.MSVCRT ref: 0040E358
                                                                                                    • _strcmpi.MSVCRT ref: 0040E374
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                    • String ID: C@$encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                    • API String ID: 4171719235-3249434271
                                                                                                    • Opcode ID: 12cb96f401a341e246283030d7facd02342688c056a454bfd348006343061e1f
                                                                                                    • Instruction ID: 4eb083177fa9c3dcba641838e0e399a852ec85db15ddf69852980c8670b79128
                                                                                                    • Opcode Fuzzy Hash: 12cb96f401a341e246283030d7facd02342688c056a454bfd348006343061e1f
                                                                                                    • Instruction Fuzzy Hash: EFA16672D04219AEDF10EBA1DC41ADE77BCAF44304F1044BFF645B7181DA38AA988F59
                                                                                                    Function 0040DA89 Relevance: 52.7, APIs: 21, Strings: 14, Instructions: 232stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _strcmpi$strlen$strncmp$atoimemset$memcpy
                                                                                                    • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
                                                                                                    • API String ID: 2825158086-593045482
                                                                                                    • Opcode ID: d389e3c4320d959ad948487e3872a8637bfc9f18e20058ce9d17245a94e7a976
                                                                                                    • Instruction ID: 1e907043fac54bf2e371806c1eb24ba38ca233ac5dd260cadef0f6990961d541
                                                                                                    • Opcode Fuzzy Hash: d389e3c4320d959ad948487e3872a8637bfc9f18e20058ce9d17245a94e7a976
                                                                                                    • Instruction Fuzzy Hash: 3C71D832804204AEFF14ABA1DD02B9E77B5DF91329F21406FF545B21C1EB7D9A18D64C
                                                                                                    Function 0040FD76 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0040FDA3
                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040FDAF
                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 0040FDBE
                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 0040FDCA
                                                                                                    • GetWindowLongA.USER32(00000000,000000EC), ref: 0040FDD3
                                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 0040FDDF
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0040FDF1
                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040FDFC
                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040FE10
                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040FE1E
                                                                                                    • GetDC.USER32 ref: 0040FE57
                                                                                                    • strlen.MSVCRT ref: 0040FE97
                                                                                                    • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 0040FEA8
                                                                                                    • ReleaseDC.USER32(?,?), ref: 0040FEF5
                                                                                                    • sprintf.MSVCRT ref: 0040FFB5
                                                                                                    • SetWindowTextA.USER32(?,?), ref: 0040FFC9
                                                                                                    • SetWindowTextA.USER32(?,00000000), ref: 0040FFE7
                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 0041001D
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041002D
                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041003B
                                                                                                    • GetClientRect.USER32(?,?), ref: 00410052
                                                                                                    • GetWindowRect.USER32(?,?), ref: 0041005C
                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 004100A2
                                                                                                    • GetClientRect.USER32(?,?), ref: 004100AC
                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 004100E4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                    • String ID: %s:$EDIT$STATIC
                                                                                                    • API String ID: 1703216249-3046471546
                                                                                                    • Opcode ID: be54f816406a202d5615b3af9ad2dfe990fb4b07b3e5f264db4d901fa9d3bfd2
                                                                                                    • Instruction ID: 60093129ffb9b10d71bc98ba01756b195f92c815bd96d79b3314cc8c80e42073
                                                                                                    • Opcode Fuzzy Hash: be54f816406a202d5615b3af9ad2dfe990fb4b07b3e5f264db4d901fa9d3bfd2
                                                                                                    • Instruction Fuzzy Hash: 62B1DE71108741AFDB20DF68C985E6BBBE9FF88704F00492EF69992261DB75E804CF56
                                                                                                    Function 0040243C Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004024E7
                                                                                                      • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,004107E3,?,?,?,?,004107E3,00000000,?,?), ref: 0041046D
                                                                                                    • _mbscpy.MSVCRT(?,00000000,?,?,?,75A8EB20,?,00000000), ref: 00402525
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 004025EF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscpy$QueryValuememset
                                                                                                    • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                    • API String ID: 168965057-606283353
                                                                                                    • Opcode ID: 5dbff6597920aada75ae8aaeb86cab491c9827adffffbf44ad9357716d36e750
                                                                                                    • Instruction ID: 01ace8319ffdb9fe87aab8cc910760b0be55d28e69d7af66dfccc1b3ad16f9ad
                                                                                                    • Opcode Fuzzy Hash: 5dbff6597920aada75ae8aaeb86cab491c9827adffffbf44ad9357716d36e750
                                                                                                    • Instruction Fuzzy Hash: 815163B540161CEBEF20DF91DC85ADD7BACAF04318F50846BFA08A6142D7BD9584CF98
                                                                                                    Function 004027B0 Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040285B
                                                                                                      • Part of subcall function 00402994: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029C5
                                                                                                    • _mbscpy.MSVCRT(?,?,75A8EB20,?,00000000), ref: 00402895
                                                                                                      • Part of subcall function 00402994: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029F3
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,75A8EB20,?,00000000), ref: 0040296D
                                                                                                      • Part of subcall function 0041042B: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402928,?,?,?,?,00402928,?,?), ref: 0041044A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                                    • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                    • API String ID: 1497257669-167382505
                                                                                                    • Opcode ID: fb3ed3ae92ef97c750fd38775156bd4655232a824b152189a5320ea8a9642570
                                                                                                    • Instruction ID: 24fe9e335227be75b4da69fc4be99485a809f42695e36ab36f90f83f1315ab2f
                                                                                                    • Opcode Fuzzy Hash: fb3ed3ae92ef97c750fd38775156bd4655232a824b152189a5320ea8a9642570
                                                                                                    • Instruction Fuzzy Hash: 22514DB150060C9BEF25EF61DC85ADD7BA8FF04308F50802BF924661A2DBB99958CF48
                                                                                                    Function 0040F5B8 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EndDialog.USER32(?,?), ref: 0040F600
                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0040F618
                                                                                                    • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040F637
                                                                                                    • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040F644
                                                                                                    • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040F64D
                                                                                                    • memset.MSVCRT ref: 0040F675
                                                                                                    • memset.MSVCRT ref: 0040F695
                                                                                                    • memset.MSVCRT ref: 0040F6B3
                                                                                                    • memset.MSVCRT ref: 0040F6CC
                                                                                                    • memset.MSVCRT ref: 0040F6EA
                                                                                                    • memset.MSVCRT ref: 0040F703
                                                                                                    • GetCurrentProcess.KERNEL32 ref: 0040F70B
                                                                                                    • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040F730
                                                                                                    • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040F766
                                                                                                    • memset.MSVCRT ref: 0040F7BD
                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 0040F7CB
                                                                                                    • memcpy.MSVCRT(?,00450E50,00000118), ref: 0040F7FA
                                                                                                    • _mbscpy.MSVCRT(?,00000000), ref: 0040F81C
                                                                                                    • sprintf.MSVCRT ref: 0040F887
                                                                                                    • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040F8A0
                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0040F8AA
                                                                                                    • SetFocus.USER32(00000000), ref: 0040F8B1
                                                                                                    Strings
                                                                                                    • {Unknown}, xrefs: 0040F67A
                                                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040F881
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                                    • API String ID: 1428123949-3474136107
                                                                                                    • Opcode ID: 7da0019b15a70a8ecc86a35ddbb970a570ad0084860970d5c569cc259bcc4bb3
                                                                                                    • Instruction ID: eaf6f4841f79e9ca67ab0c8a61f7093b44a411cbafad24e33deb6097971d8b5c
                                                                                                    • Opcode Fuzzy Hash: 7da0019b15a70a8ecc86a35ddbb970a570ad0084860970d5c569cc259bcc4bb3
                                                                                                    • Instruction Fuzzy Hash: 4271B576404344BFEB31ABA0DC41EDB7B9CFB94345F00443AF644A25A1DB399D18CB6A
                                                                                                    Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                    • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                    • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                    • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                    • DeleteObject.GDI32(?), ref: 00401226
                                                                                                    • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                    • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                    • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                    • SetDlgItemTextA.USER32(?,000003EE,00451398), ref: 00401273
                                                                                                    • memset.MSVCRT ref: 0040128E
                                                                                                    • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                    • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                    • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2998058495-0
                                                                                                    • Opcode ID: d0c79ddb5cdb04a56f06c9713ba923215785d9fa425cc291896e6cba069ff765
                                                                                                    • Instruction ID: cf74e5707885198988a29297af0a26d915b41f86d4ff93bb74c60bb1bb3fb963
                                                                                                    • Opcode Fuzzy Hash: d0c79ddb5cdb04a56f06c9713ba923215785d9fa425cc291896e6cba069ff765
                                                                                                    • Instruction Fuzzy Hash: 04618B35800208EBDF12AFA0DD85BAE7FA5BB04305F1481B6F904BA2F2C7B59950DF58
                                                                                                    Function 0040B94B Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00408DE1: LoadMenuA.USER32(00000000), ref: 00408DE9
                                                                                                      • Part of subcall function 00408DE1: sprintf.MSVCRT ref: 00408E0C
                                                                                                    • SetMenu.USER32(?,00000000), ref: 0040BA7E
                                                                                                    • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BAB1
                                                                                                    • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BAC7
                                                                                                    • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BB27
                                                                                                    • LoadIconA.USER32(00000066,00000000), ref: 0040BB96
                                                                                                    • _strcmpi.MSVCRT ref: 0040BBEE
                                                                                                    • RegDeleteKeyA.ADVAPI32(80000001,0044551F), ref: 0040BC03
                                                                                                    • SetFocus.USER32(?,00000000), ref: 0040BC29
                                                                                                    • GetFileAttributesA.KERNEL32(004518C0), ref: 0040BC42
                                                                                                    • GetTempPathA.KERNEL32(00000104,004518C0), ref: 0040BC52
                                                                                                    • strlen.MSVCRT ref: 0040BC59
                                                                                                    • strlen.MSVCRT ref: 0040BC67
                                                                                                    • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BCC3
                                                                                                      • Part of subcall function 00404B82: strlen.MSVCRT ref: 00404B9F
                                                                                                      • Part of subcall function 00404B82: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404BC3
                                                                                                    • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BD0E
                                                                                                    • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BD21
                                                                                                    • memset.MSVCRT ref: 0040BD36
                                                                                                    • SetWindowTextA.USER32(?,?), ref: 0040BD5A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                                                                                    • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                                                                    • API String ID: 2303586283-933021314
                                                                                                    • Opcode ID: 2cd3750268afcf2c00fdbb78acb8169defb1c0a4abc17376fcb8bc6945515cda
                                                                                                    • Instruction ID: a3034197930a53117d85b49231bdaaa03d04473d70278c5121b5a691f959c143
                                                                                                    • Opcode Fuzzy Hash: 2cd3750268afcf2c00fdbb78acb8169defb1c0a4abc17376fcb8bc6945515cda
                                                                                                    • Instruction Fuzzy Hash: 13C1E0B1644788FFEB16DF64CC45BDABBA5FF14304F00016AFA44AB292C7B59904CB99
                                                                                                    Function 004109F8 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                    • API String ID: 633282248-1996832678
                                                                                                    • Opcode ID: d630389c35e97599bcde8a8899de04e430e3a493f8c02fcbb7772580aaf4b9e1
                                                                                                    • Instruction ID: 7c6bf41bc1280a1bc88d4c6d4cc59bc6a86d5934fc3475aca932ea250c86fdc0
                                                                                                    • Opcode Fuzzy Hash: d630389c35e97599bcde8a8899de04e430e3a493f8c02fcbb7772580aaf4b9e1
                                                                                                    • Instruction Fuzzy Hash: 5E31E7B2805324BEFB14EA54DD42EDEB76CAF11354F20415FF214A2182DBBC9ED48A9D
                                                                                                    Function 0040A6AF Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040A6CF
                                                                                                    • memset.MSVCRT ref: 0040A6F2
                                                                                                    • memset.MSVCRT ref: 0040A708
                                                                                                    • memset.MSVCRT ref: 0040A718
                                                                                                    • sprintf.MSVCRT ref: 0040A74C
                                                                                                    • _mbscpy.MSVCRT(00000000, nowrap), ref: 0040A793
                                                                                                    • sprintf.MSVCRT ref: 0040A81A
                                                                                                    • _mbscat.MSVCRT ref: 0040A849
                                                                                                      • Part of subcall function 00410943: sprintf.MSVCRT ref: 00410962
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040A82E
                                                                                                    • sprintf.MSVCRT ref: 0040A87D
                                                                                                      • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                      • Part of subcall function 00406AD1: WriteFile.KERNEL32(00445BB0,00000001,00000000,74DF0A60,00000000,?,?,0040A51A,00000001,00445BB0,74DF0A60), ref: 00406AEB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                    • API String ID: 710961058-601624466
                                                                                                    • Opcode ID: 079468a14a97a28bfa34a244c779035b9b8789af1b94a458258266399ae21ffd
                                                                                                    • Instruction ID: 74eb9a4e80b6148bc8e6745fd37c56fddd23ac0c0a2d0b32ddfd32f18a43723b
                                                                                                    • Opcode Fuzzy Hash: 079468a14a97a28bfa34a244c779035b9b8789af1b94a458258266399ae21ffd
                                                                                                    • Instruction Fuzzy Hash: BC61B232900214AFEF14EF64CC81EDE7B79EF05314F10419AF905AB1D2DB749A55CB55
                                                                                                    Function 00410B15 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sprintf$memset$_mbscpy
                                                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                    • API String ID: 3402215030-3842416460
                                                                                                    • Opcode ID: 7653316fbcd0de4850709abcbfe938336a552be4d2d6e02152f8a9103e1a61e1
                                                                                                    • Instruction ID: 369df5ceca9bdb9f61db2c44a96b4e719fee50907ea6fa1c749cf0cc9e3d70a7
                                                                                                    • Opcode Fuzzy Hash: 7653316fbcd0de4850709abcbfe938336a552be4d2d6e02152f8a9103e1a61e1
                                                                                                    • Instruction Fuzzy Hash: CC4176B684011DAEEB11EE54DC41FEB776CAF55305F0401EBB608E2142E7789F988FA9
                                                                                                    Function 00441A6C Relevance: 27.4, APIs: 7, Strings: 11, Instructions: 375COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442034,00000000), ref: 00441AB5
                                                                                                    • memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442034,00000000), ref: 00441B43
                                                                                                    • memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442034,00000000), ref: 00441CED
                                                                                                    • memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 00441D19
                                                                                                    • memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 00441D4B
                                                                                                    • memcmp.MSVCRT(00000000,00000004,00442034,00000000,00000000,BINARY), ref: 00441D96
                                                                                                    • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442034,00000000), ref: 00441E29
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmp$memcpy
                                                                                                    • String ID: %s mode not allowed: %s$BINARY$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                    • API String ID: 231171946-1411472696
                                                                                                    • Opcode ID: ee0957bba9a21b500f81e6c25a2f981e0bf1c959c719be955f11db3b2c6e13f4
                                                                                                    • Instruction ID: 52e3131474fa5b42b7a716d11f9a5693575ad96a685679239bae0d8a086cc604
                                                                                                    • Opcode Fuzzy Hash: ee0957bba9a21b500f81e6c25a2f981e0bf1c959c719be955f11db3b2c6e13f4
                                                                                                    • Instruction Fuzzy Hash: 6ED13571D40209AAFF24CF99C8807EFBBB1AF15349F24405FE84197361E3789AC68B59
                                                                                                    Function 0040C12B Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040C150
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C161
                                                                                                    • strrchr.MSVCRT ref: 0040C170
                                                                                                    • _mbscat.MSVCRT ref: 0040C18A
                                                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C1BE
                                                                                                    • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C1CF
                                                                                                    • GetWindowPlacement.USER32(?,?), ref: 0040C265
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                    • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos$lD
                                                                                                    • API String ID: 1012775001-1916105108
                                                                                                    • Opcode ID: 3ec9ae65737f60df468101d11317291680775f25fc686c1380eb29ad5bf2531f
                                                                                                    • Instruction ID: 0f0ca2c9629047d536013ad0a00a476c63862c7e4230734d296e8a5f64e20069
                                                                                                    • Opcode Fuzzy Hash: 3ec9ae65737f60df468101d11317291680775f25fc686c1380eb29ad5bf2531f
                                                                                                    • Instruction Fuzzy Hash: 41415A72940118ABDB20DB54CC88FDAB7BCAB59300F4541EAF50DE7192DA74AA858FA4
                                                                                                    Function 0040EA92 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 166stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004078B8: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040EAAB,?,?,?,?), ref: 004078D1
                                                                                                      • Part of subcall function 004078B8: CloseHandle.KERNEL32(00000000,?,?,?), ref: 004078FD
                                                                                                      • Part of subcall function 004045BD: free.MSVCRT ref: 004045C4
                                                                                                      • Part of subcall function 00406DD3: _mbscpy.MSVCRT(?,?,0040EACC,?,?,?,?,?), ref: 00406DD8
                                                                                                      • Part of subcall function 00406DD3: strrchr.MSVCRT ref: 00406DE0
                                                                                                      • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D80B
                                                                                                      • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D81F
                                                                                                      • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D833
                                                                                                      • Part of subcall function 0040D7EA: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040D900
                                                                                                      • Part of subcall function 0040D7EA: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040D960
                                                                                                    • strlen.MSVCRT ref: 0040EAF0
                                                                                                    • strlen.MSVCRT ref: 0040EAFE
                                                                                                    • memset.MSVCRT ref: 0040EB3F
                                                                                                    • strlen.MSVCRT ref: 0040EB4E
                                                                                                    • strlen.MSVCRT ref: 0040EB5C
                                                                                                    • memset.MSVCRT ref: 0040EB9D
                                                                                                    • strlen.MSVCRT ref: 0040EBAC
                                                                                                    • strlen.MSVCRT ref: 0040EBBA
                                                                                                    • _strcmpi.MSVCRT ref: 0040EC68
                                                                                                    • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040EC83
                                                                                                      • Part of subcall function 00406E81: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,0040210D,00000000,nss3.dll), ref: 00406E89
                                                                                                      • Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_strcmpifreestrrchr
                                                                                                    • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                    • API String ID: 1790961710-3138536805
                                                                                                    • Opcode ID: 4f14c36e44b5096a019ef81da6c94dddbe7f031c20d1b7d5593abf6fb10a42be
                                                                                                    • Instruction ID: df88ffc6541641ac30fc10f5b0fca58fec5c07c4b1c9a15943a758993f488c50
                                                                                                    • Opcode Fuzzy Hash: 4f14c36e44b5096a019ef81da6c94dddbe7f031c20d1b7d5593abf6fb10a42be
                                                                                                    • Instruction Fuzzy Hash: 2D512971508209AEE714EB62DC85BDAB7ECAF11305F10057BE145E20C2EF79B6648B99
                                                                                                    Function 0040CAFA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _strcmpi
                                                                                                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                    • API String ID: 1439213657-1959339147
                                                                                                    • Opcode ID: a68a991a2b5d30f9e39ec3670898e42f382199c0509315e17a46049111a42881
                                                                                                    • Instruction ID: 4795e8c1a20e30d0c9bbc9b6431cc8fe1bf434ed6b151c21ba544f3180274443
                                                                                                    • Opcode Fuzzy Hash: a68a991a2b5d30f9e39ec3670898e42f382199c0509315e17a46049111a42881
                                                                                                    • Instruction Fuzzy Hash: 89012C6328A71168F93822A63C07F931A88CBD2B3BF32021FFA04E40C4EE5D9014946E
                                                                                                    Function 00443AD1 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00443AF6
                                                                                                      • Part of subcall function 00443946: strlen.MSVCRT ref: 00443953
                                                                                                    • strlen.MSVCRT ref: 00443B12
                                                                                                    • memset.MSVCRT ref: 00443B4C
                                                                                                    • memset.MSVCRT ref: 00443B60
                                                                                                    • memset.MSVCRT ref: 00443B74
                                                                                                    • memset.MSVCRT ref: 00443B9A
                                                                                                      • Part of subcall function 0040CF27: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00443EE6,?,?,?,00000008,?,00000000,00000000), ref: 0040CFB8
                                                                                                      • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFE4
                                                                                                      • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFFA
                                                                                                      • Part of subcall function 0040CFC5: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040380C,00000000), ref: 0040D031
                                                                                                      • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D03B
                                                                                                    • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 00443BD1
                                                                                                      • Part of subcall function 0040CF27: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00443EE6,?,?,?,00000008,?,00000000,00000000), ref: 0040CF6A
                                                                                                      • Part of subcall function 0040CF27: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00443EE6,?,?,?,00000008,?,00000000,00000000), ref: 0040CF94
                                                                                                      • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D00C
                                                                                                    • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00443C0D
                                                                                                    • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 00443C1F
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 00443CF6
                                                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00443D27
                                                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00443D39
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset$strlen$_mbscpy
                                                                                                    • String ID: salu
                                                                                                    • API String ID: 3691931180-4177317985
                                                                                                    • Opcode ID: 83225db928fd883c42bee6e282a9482a018d5535a4f1b577ace8486b86518c40
                                                                                                    • Instruction ID: ac1bd25895dca9443f5d295c1451dfd6054ecd25aeec11951aea85171a240119
                                                                                                    • Opcode Fuzzy Hash: 83225db928fd883c42bee6e282a9482a018d5535a4f1b577ace8486b86518c40
                                                                                                    • Instruction Fuzzy Hash: E1715F7290011DAADB10EFA5CC81ADEB7BDBF08348F1405BAF648E7191DB749B488F95
                                                                                                    Function 0040F9AC Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(psapi.dll,?,0040F791), ref: 0040F9BF
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040F9D8
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040F9E9
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040F9FA
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040FA0B
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040FA1C
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0040FA3C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                    • API String ID: 2449869053-232097475
                                                                                                    • Opcode ID: 41a7431a570a879339345957c21e7bbc60c6881d878c9e33f6f290671b5569e0
                                                                                                    • Instruction ID: b0622ab91b6b15bab8cd8e6e0f6310f6235a52dd738245c008a901a401bb443a
                                                                                                    • Opcode Fuzzy Hash: 41a7431a570a879339345957c21e7bbc60c6881d878c9e33f6f290671b5569e0
                                                                                                    • Instruction Fuzzy Hash: C6017574A41315ABDB31DB256D41F6B2DE49786B41B100037F808F16A5E7B8D806CF6D
                                                                                                    Function 00442F98 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registrystringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                                                                                      • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                      • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                    • strlen.MSVCRT ref: 00442FBF
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 00442FCF
                                                                                                    • memset.MSVCRT ref: 0044301B
                                                                                                    • memset.MSVCRT ref: 00443038
                                                                                                    • _mbscpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00443066
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004430AA
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 004430FB
                                                                                                    • LocalFree.KERNEL32(?), ref: 00443110
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00443119
                                                                                                      • Part of subcall function 0040710B: strtoul.MSVCRT ref: 00407113
                                                                                                    Strings
                                                                                                    • Software\Microsoft\Windows Live Mail, xrefs: 0044305A
                                                                                                    • Salt, xrefs: 00443094
                                                                                                    • Software\Microsoft\Windows Mail, xrefs: 0044304E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscpymemset$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                                                                    • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                                                                    • API String ID: 665470638-2687544566
                                                                                                    • Opcode ID: 9f27746001990e1505ad47b8783b2ad13906275ef7097c4622a716a729d7b53b
                                                                                                    • Instruction ID: f7bf93f0836b67bba3c835e38737b5ae5122e901c23063e01546d75898481f5a
                                                                                                    • Opcode Fuzzy Hash: 9f27746001990e1505ad47b8783b2ad13906275ef7097c4622a716a729d7b53b
                                                                                                    • Instruction Fuzzy Hash: F7417676C0411CAEDB11DFE4DC81EDEBBBCAF49314F1441ABE644E3242DA349A44CB69
                                                                                                    Function 0040F177 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
                                                                                                    • memset.MSVCRT ref: 0040F1BF
                                                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F1EC
                                                                                                    • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F215
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F28E
                                                                                                    • LocalFree.KERNEL32(?), ref: 0040F2A1
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040F2AC
                                                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040F2D4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                    • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
                                                                                                    • API String ID: 551151806-1288872324
                                                                                                    • Opcode ID: 65086e80b6a5b02b29051501ab280fcd45d06adf4574d2fdc8f27417bda8f6f7
                                                                                                    • Instruction ID: 6090246ec9a09cf2b7bf1ee2c59d5b558b26d9adbf6fbfd3eb8a6f02fd62f1f0
                                                                                                    • Opcode Fuzzy Hash: 65086e80b6a5b02b29051501ab280fcd45d06adf4574d2fdc8f27417bda8f6f7
                                                                                                    • Instruction Fuzzy Hash: D7413ABA900209AFDF21DF95DC44EEFBBBCEF49704F0000B6F905E2151DA349A548B64
                                                                                                    Function 00403E83 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 98COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                      • Part of subcall function 00406AD1: WriteFile.KERNEL32(00445BB0,00000001,00000000,74DF0A60,00000000,?,?,0040A51A,00000001,00445BB0,74DF0A60), ref: 00406AEB
                                                                                                    • memset.MSVCRT ref: 00403EBB
                                                                                                    • memset.MSVCRT ref: 00403ECF
                                                                                                    • memset.MSVCRT ref: 00403EE3
                                                                                                    • sprintf.MSVCRT ref: 00403F04
                                                                                                    • _mbscpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F20
                                                                                                    • sprintf.MSVCRT ref: 00403F57
                                                                                                    • sprintf.MSVCRT ref: 00403F88
                                                                                                    Strings
                                                                                                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403E93
                                                                                                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F82
                                                                                                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403EFE
                                                                                                    • <table dir="rtl"><tr><td>, xrefs: 00403F1A
                                                                                                    • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F32
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memsetsprintf$FileWrite_mbscpystrlen
                                                                                                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                    • API String ID: 113626815-1670831295
                                                                                                    • Opcode ID: 0864bff5b9f245e7e00702d5ae0a005148ce56c4a893c65d197af4b0a75b44c0
                                                                                                    • Instruction ID: 806bb3af6c01162091129d7dbd14bcfdd9389eda619bfd821539a1a2e53cd61a
                                                                                                    • Opcode Fuzzy Hash: 0864bff5b9f245e7e00702d5ae0a005148ce56c4a893c65d197af4b0a75b44c0
                                                                                                    • Instruction Fuzzy Hash: 553187B2944218BAEB10EB95CC41FDF77ACEB44305F1040ABF609A3141DE789F988B69
                                                                                                    Function 004092CB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sprintf.MSVCRT ref: 004092EC
                                                                                                    • LoadMenuA.USER32(?,?), ref: 004092FA
                                                                                                      • Part of subcall function 00409123: GetMenuItemCount.USER32(?), ref: 00409138
                                                                                                      • Part of subcall function 00409123: memset.MSVCRT ref: 00409159
                                                                                                      • Part of subcall function 00409123: GetMenuItemInfoA.USER32 ref: 00409194
                                                                                                      • Part of subcall function 00409123: strchr.MSVCRT ref: 004091AB
                                                                                                    • DestroyMenu.USER32(00000000), ref: 00409318
                                                                                                    • sprintf.MSVCRT ref: 0040935C
                                                                                                    • CreateDialogParamA.USER32(?,00000000,00000000,004092C6,00000000), ref: 00409371
                                                                                                    • memset.MSVCRT ref: 0040938D
                                                                                                    • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040939E
                                                                                                    • EnumChildWindows.USER32(00000000,Function_00009213,00000000), ref: 004093C6
                                                                                                    • DestroyWindow.USER32(00000000), ref: 004093CD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                    • String ID: caption$dialog_%d$menu_%d
                                                                                                    • API String ID: 3259144588-3822380221
                                                                                                    • Opcode ID: c57eef4f9a69d0248337f3cec95bddc8ad24d8874dd25b83ad4416fd21439078
                                                                                                    • Instruction ID: 4880027b7f24484a0daf4b70c4ca19663393d93293db39a52c89ae2e2b3c84be
                                                                                                    • Opcode Fuzzy Hash: c57eef4f9a69d0248337f3cec95bddc8ad24d8874dd25b83ad4416fd21439078
                                                                                                    • Instruction Fuzzy Hash: 0121E472500248BBEB21AF509C45EEF3768FB4A715F14007BFE01A11D2D6B85D548F59
                                                                                                    Function 0040F928 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040F798), ref: 0040F937
                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040F950
                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040F961
                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040F972
                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040F983
                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040F994
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                    • API String ID: 667068680-3953557276
                                                                                                    • Opcode ID: f969084aaa60d6fc347aca6cd4b103efb280d70b1424ed757b2f63fa67c010da
                                                                                                    • Instruction ID: d70ca51da7794723d6fdd3b52e2ca510f6325bc6d96353a7ae51ff6a4d6706bc
                                                                                                    • Opcode Fuzzy Hash: f969084aaa60d6fc347aca6cd4b103efb280d70b1424ed757b2f63fa67c010da
                                                                                                    • Instruction Fuzzy Hash: E5F03674641716BEE7219B35EC41F6B2DA8B786B817150037E404F1295EBBCD406CBEE
                                                                                                    Function 004045D6 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00404651: FreeLibrary.KERNEL32(?,004045DE,?,0040F07D,?,00000000), ref: 00404658
                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                                                                                    • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                                                                                    • GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                                                                                    • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                    • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                    • API String ID: 2449869053-4258758744
                                                                                                    • Opcode ID: cdcbb80234758e29e10a2fa45a01471a6c512abbbeef489e8d79757fa0f5749b
                                                                                                    • Instruction ID: e667573ab02a3a36113e5811d7d9d25958220871e4fc9ad39742c7b975dc30ca
                                                                                                    • Opcode Fuzzy Hash: cdcbb80234758e29e10a2fa45a01471a6c512abbbeef489e8d79757fa0f5749b
                                                                                                    • Instruction Fuzzy Hash: 32012CB49007009ADB30AF759809B46BAE0EF9A705B224C2FE295A3691E77ED440CF49
                                                                                                    Function 00404217 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcsstr.MSVCRT ref: 0040424C
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404293
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042A7
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 004042B7
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?), ref: 004042CA
                                                                                                    • strchr.MSVCRT ref: 004042D8
                                                                                                    • strlen.MSVCRT ref: 004042EC
                                                                                                    • sprintf.MSVCRT ref: 0040430D
                                                                                                    • strchr.MSVCRT ref: 0040431E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                    • String ID: %s@gmail.com$www.google.com
                                                                                                    • API String ID: 3866421160-4070641962
                                                                                                    • Opcode ID: d962adbfde3f6d46bd1a4ddc996d91cd470cefa2b35a611f38f3acb321d1eaac
                                                                                                    • Instruction ID: 638e790b5603b8fd8804fb5d4b15941c8435a10b684d18614d662d2844f21a3d
                                                                                                    • Opcode Fuzzy Hash: d962adbfde3f6d46bd1a4ddc996d91cd470cefa2b35a611f38f3acb321d1eaac
                                                                                                    • Instruction Fuzzy Hash: A53195B290421CBFEB11DB91DC81FDAB36CEB44314F1005A7F708F2181DA78AF558A59
                                                                                                    Function 004094A2 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _mbscpy.MSVCRT(00451200,00000000,00000000,00000000,?,?,004095D3,00000000,?,00000000,00000104,?), ref: 004094BA
                                                                                                    • _mbscpy.MSVCRT(00451308,general,00451200,00000000,00000000,00000000,?,?,004095D3,00000000,?,00000000,00000104,?), ref: 004094CA
                                                                                                      • Part of subcall function 0040907D: memset.MSVCRT ref: 004090A2
                                                                                                      • Part of subcall function 0040907D: GetPrivateProfileStringA.KERNEL32(00451308,00000104,0044551F,?,00001000,00451200), ref: 004090C6
                                                                                                      • Part of subcall function 0040907D: WritePrivateProfileStringA.KERNEL32(00451308,?,?,00451200), ref: 004090DD
                                                                                                    • EnumResourceNamesA.KERNEL32(00000104,00000004,004092CB,00000000), ref: 00409500
                                                                                                    • EnumResourceNamesA.KERNEL32(00000104,00000005,004092CB,00000000), ref: 0040950A
                                                                                                    • _mbscpy.MSVCRT(00451308,strings,?,004095D3,00000000,?,00000000,00000104,?), ref: 00409512
                                                                                                    • memset.MSVCRT ref: 0040952E
                                                                                                    • LoadStringA.USER32(00000104,00000000,?,00001000), ref: 00409542
                                                                                                      • Part of subcall function 004090EB: _itoa.MSVCRT ref: 0040910C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                    • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                    • API String ID: 1035899707-3647959541
                                                                                                    • Opcode ID: c02a7e1620c193d28ef0090c9082c06cedc2e31f21f04b75fd3f2edb00844c96
                                                                                                    • Instruction ID: 9dc8dfcbefe26b31ead3ecdd6c1d49ac828ce4ba7b4c08f8d1d1c72bb5e2ee9a
                                                                                                    • Opcode Fuzzy Hash: c02a7e1620c193d28ef0090c9082c06cedc2e31f21f04b75fd3f2edb00844c96
                                                                                                    • Instruction Fuzzy Hash: A6112B7190025476F73127169C06FDB3E5CDF86B96F00407BBB08B61D3C6B94D40866D
                                                                                                    Function 004106AD Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _mbscpy.MSVCRT(?,Common Programs,004107CB,?,?,?,?,?,00000104), ref: 00410720
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscpy
                                                                                                    • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                    • API String ID: 714388716-318151290
                                                                                                    • Opcode ID: 0a525b84c5f9161c47f62fe334daf8b9de5718508579850184da69b323b5bb64
                                                                                                    • Instruction ID: 9896847eb90bf5c4294a3c9dccddd80cbc36a64f1d49de08ffe9e6d9729d10b2
                                                                                                    • Opcode Fuzzy Hash: 0a525b84c5f9161c47f62fe334daf8b9de5718508579850184da69b323b5bb64
                                                                                                    • Instruction Fuzzy Hash: 5CF054B1BA870D60343C0528088EAF715009463B453764627F222E05DECEEDBCD26C0F
                                                                                                    Function 0040C750 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0040C7C9
                                                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 0040C7D7
                                                                                                    • SelectObject.GDI32(?,?), ref: 0040C7EC
                                                                                                    • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040C821
                                                                                                    • SelectObject.GDI32(00000014,?), ref: 0040C82D
                                                                                                      • Part of subcall function 0040C586: GetCursorPos.USER32(?), ref: 0040C593
                                                                                                      • Part of subcall function 0040C586: GetSubMenu.USER32(?,00000000), ref: 0040C5A1
                                                                                                      • Part of subcall function 0040C586: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C5CE
                                                                                                    • LoadCursorA.USER32(00000067), ref: 0040C84E
                                                                                                    • SetCursor.USER32(00000000), ref: 0040C855
                                                                                                    • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040C877
                                                                                                    • SetFocus.USER32(?), ref: 0040C8B2
                                                                                                    • SetFocus.USER32(?), ref: 0040C92B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                                    • String ID:
                                                                                                    • API String ID: 1416211542-0
                                                                                                    • Opcode ID: 72d4e56ce9792ca9f6f5468ccb6de1f9c3d453dee6bcce5964bd40597cc99410
                                                                                                    • Instruction ID: 09ccc7060a79f4adaf8e2edad657e89b5ff3622033c15eab8e38028839dfd0e9
                                                                                                    • Opcode Fuzzy Hash: 72d4e56ce9792ca9f6f5468ccb6de1f9c3d453dee6bcce5964bd40597cc99410
                                                                                                    • Instruction Fuzzy Hash: 4E518276200605EFCB15AF64CCC5AAA77A5FB08302F004636F616B72A1CB39A951DB9D
                                                                                                    Function 0040DEF0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                    • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                    • API String ID: 2360744853-2229823034
                                                                                                    • Opcode ID: a6af0bad8716113a6c9bfd3cc5ea0d59f472fdd556f841286d46f38d0b8e9215
                                                                                                    • Instruction ID: 5d143ff0da15214bab7bb06cf5d8f907292877c2fd7590e182fa264530f008e8
                                                                                                    • Opcode Fuzzy Hash: a6af0bad8716113a6c9bfd3cc5ea0d59f472fdd556f841286d46f38d0b8e9215
                                                                                                    • Instruction Fuzzy Hash: 934185726053059FE724DEA5C881F9673E8EF04304F10497BF64AE3281DB78F9588B59
                                                                                                    Function 00402C4F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004107BA,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410424
                                                                                                    • memset.MSVCRT ref: 00402C8F
                                                                                                      • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402D91
                                                                                                      • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                    • memset.MSVCRT ref: 00402CE9
                                                                                                    • sprintf.MSVCRT ref: 00402D02
                                                                                                    • sprintf.MSVCRT ref: 00402D40
                                                                                                      • Part of subcall function 00402BC3: memset.MSVCRT ref: 00402BE3
                                                                                                      • Part of subcall function 00402BC3: RegCloseKey.ADVAPI32 ref: 00402C47
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Closememset$sprintf$EnumOpen
                                                                                                    • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                                    • API String ID: 1831126014-3814494228
                                                                                                    • Opcode ID: f46643224f8d57702947c65e27ebef8c1ed422b4ee47cea5c2b02c2e50f71c0e
                                                                                                    • Instruction ID: 1b5601e0499ef747dd56af052f35eddfd4da5329eef37c5f4f36e35d9cf9c12c
                                                                                                    • Opcode Fuzzy Hash: f46643224f8d57702947c65e27ebef8c1ed422b4ee47cea5c2b02c2e50f71c0e
                                                                                                    • Instruction Fuzzy Hash: 0831507290011CBAEF11EA91CC46FEF777CAF04305F0404BABA04B2192E7B59F948B64
                                                                                                    Function 0040FA44 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • strchr.MSVCRT ref: 0040FA5C
                                                                                                    • _mbscpy.MSVCRT(?,-00000001), ref: 0040FA6A
                                                                                                      • Part of subcall function 004075CB: strlen.MSVCRT ref: 004075DD
                                                                                                      • Part of subcall function 004075CB: strlen.MSVCRT ref: 004075E5
                                                                                                      • Part of subcall function 004075CB: _memicmp.MSVCRT ref: 00407603
                                                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040FABA
                                                                                                    • _mbscat.MSVCRT ref: 0040FAC5
                                                                                                    • memset.MSVCRT ref: 0040FAA1
                                                                                                      • Part of subcall function 00406EF9: GetWindowsDirectoryA.KERNEL32(004517B0,00000104,?,0040FAFA,00000000,?,00000000,00000104,00000104), ref: 00406F0E
                                                                                                      • Part of subcall function 00406EF9: _mbscpy.MSVCRT(00000000,004517B0,?,0040FAFA,00000000,?,00000000,00000104,00000104), ref: 00406F1E
                                                                                                    • memset.MSVCRT ref: 0040FAE9
                                                                                                    • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0040FB04
                                                                                                    • _mbscat.MSVCRT ref: 0040FB0F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                    • String ID: \systemroot
                                                                                                    • API String ID: 912701516-1821301763
                                                                                                    • Opcode ID: 6ed46392c19141da617902d7b5570fa245ae562c0294e1b5c940c35c61e6b91f
                                                                                                    • Instruction ID: 2dd3a797b17f22995e4c1cf65abf5f7fbb47152c003677c6e5f404f17f2ef451
                                                                                                    • Opcode Fuzzy Hash: 6ed46392c19141da617902d7b5570fa245ae562c0294e1b5c940c35c61e6b91f
                                                                                                    • Instruction Fuzzy Hash: 92210A7550C20469F734E2618C82FEB76EC9B55708F10007FF289E14C1EEBCA9884A6A
                                                                                                    Function 00406625 Relevance: 16.7, APIs: 7, Strings: 4, Instructions: 205COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00406650
                                                                                                      • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                                                                                      • Part of subcall function 00406CA4: memcpy.MSVCRT(?,00401CA0,00000000,00000000,00401CA0,00000001,00000104,?,?,?,?,?,00000000), ref: 00406CBE
                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 00406719
                                                                                                    • memcpy.MSVCRT(?,00000015,?,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 00406731
                                                                                                    • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 0040674A
                                                                                                    • memcmp.MSVCRT(00000000,0044FE98,00000010,?,?,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 004067EB
                                                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 0040680F
                                                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 00406827
                                                                                                    Strings
                                                                                                    • C@, xrefs: 00406625
                                                                                                    • SELECT a11,a102 FROM nssPrivate, xrefs: 0040677A
                                                                                                    • key4.db, xrefs: 00406632
                                                                                                    • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 0040668D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memcmpmemsetstrlen
                                                                                                    • String ID: C@$SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                    • API String ID: 2950547843-1835927508
                                                                                                    • Opcode ID: 29e67128f806e27f32a5a844b83660c965dc1796d59f1ea4f69cdb33fe82b5c1
                                                                                                    • Instruction ID: 4af0f314ee18ccde9e1bafe1ac3c0a9422d02a762a4adf5b984e4b61dd213191
                                                                                                    • Opcode Fuzzy Hash: 29e67128f806e27f32a5a844b83660c965dc1796d59f1ea4f69cdb33fe82b5c1
                                                                                                    • Instruction Fuzzy Hash: A961CA72A00218AFDB10EF75DC81BAE73A8AF04318F12457BF915E7281D678EE548799
                                                                                                    Function 00402FCD Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004107BA,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410424
                                                                                                    • memset.MSVCRT ref: 00403010
                                                                                                      • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                                                                                    • memset.MSVCRT ref: 0040305D
                                                                                                    • sprintf.MSVCRT ref: 00403075
                                                                                                    • memset.MSVCRT ref: 004030A6
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004030EE
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00403117
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$Close$EnumOpensprintf
                                                                                                    • String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
                                                                                                    • API String ID: 3672803090-3168940695
                                                                                                    • Opcode ID: d1c3dbe35122c51e2573e4358d50db35bc21167281bd27cd554d415f33697bd9
                                                                                                    • Instruction ID: 39077b7eb5a2e68ecd5ff501a3ad8ea0a91829c9588d8d8ee698511e4ba158b1
                                                                                                    • Opcode Fuzzy Hash: d1c3dbe35122c51e2573e4358d50db35bc21167281bd27cd554d415f33697bd9
                                                                                                    • Instruction Fuzzy Hash: EE3130B580021CFBDB11EB91CC82EEEBB7CAF15305F0041B6BA08A1152E7799F949F95
                                                                                                    Function 00408C8C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
                                                                                                    • String ID: 0$6
                                                                                                    • API String ID: 3540791495-3849865405
                                                                                                    • Opcode ID: 9736ca1d0936a6b325f5f26c76bf6a16feb47f6dda5c5e610d37bbbd056a36f8
                                                                                                    • Instruction ID: 3c8b7fd7a28504c7ca875bf426ab9eeebffe21bfd5384a9a2131e9ee4f2c6c2c
                                                                                                    • Opcode Fuzzy Hash: 9736ca1d0936a6b325f5f26c76bf6a16feb47f6dda5c5e610d37bbbd056a36f8
                                                                                                    • Instruction Fuzzy Hash: CB31AD72408384AFD7209F91D940A9BBBE9EF84354F04493FFAC4A2291D778D9548F6A
                                                                                                    Function 0041025A Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410277
                                                                                                    • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0041028B
                                                                                                    • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410298
                                                                                                    • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 004102D6
                                                                                                    • CoTaskMemFree.COMBASE(00000000), ref: 004102E5
                                                                                                    Strings
                                                                                                    • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410272
                                                                                                    • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041027F
                                                                                                    • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410286
                                                                                                    • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 00410293
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                    • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                    • API String ID: 1640410171-2022683286
                                                                                                    • Opcode ID: 8ab31fcad472c8e0f7fc1e7956a4c0916ede4aff3821f8ba5262597d6c198381
                                                                                                    • Instruction ID: e4eb6b96217285778323d40e2be480743d786dbe6d4556737564963462aa5f63
                                                                                                    • Opcode Fuzzy Hash: 8ab31fcad472c8e0f7fc1e7956a4c0916ede4aff3821f8ba5262597d6c198381
                                                                                                    • Instruction Fuzzy Hash: CC116D7290012EABDF11DEA4DC85EEB37ACEB49354F050423FD41E7201E6B8DD848BA6
                                                                                                    Function 00418FCA Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 319COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004128D6: strlen.MSVCRT ref: 004128E4
                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00406678,?,0041D1CF,00000000), ref: 00419165
                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00406678,?,0041D1CF,00000000), ref: 00419184
                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00406678,?,0041D1CF,00000000), ref: 00419196
                                                                                                    • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,00406678,?,0041D1CF,00000000), ref: 004191AE
                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00406678,?,0041D1CF,00000000), ref: 004191CB
                                                                                                    • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,00406678), ref: 004191E3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$strlen
                                                                                                    • String ID: -journal$-wal$immutable$nolock
                                                                                                    • API String ID: 2619041689-3408036318
                                                                                                    • Opcode ID: b4afe22544acede0a86ca576d850925b04083d6883ca1ee22da99f70356edf55
                                                                                                    • Instruction ID: 01a3cfc3161f2179d827f175e8c33b529befff994fa447307002f7c0b3a07cf5
                                                                                                    • Opcode Fuzzy Hash: b4afe22544acede0a86ca576d850925b04083d6883ca1ee22da99f70356edf55
                                                                                                    • Instruction Fuzzy Hash: C7C1F372A04606AFDB14DFA9C841BDEFFB0BF44314F14825EE428E7281D778A994CB95
                                                                                                    Function 004019E9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$strlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 667451143-3916222277
                                                                                                    • Opcode ID: de41c446573b448f2559c76c21c5fcda8dfd136ac2dbf7f7621294d11401d03f
                                                                                                    • Instruction ID: 24b34d1c19d378cbc4a311a34392409bda21909db6314ed607bd163125115c99
                                                                                                    • Opcode Fuzzy Hash: de41c446573b448f2559c76c21c5fcda8dfd136ac2dbf7f7621294d11401d03f
                                                                                                    • Instruction Fuzzy Hash: 6A61873440D782DFDB609F25948006BBBF0FB89315F54593FF5D2A22A1D739984ACB0A
                                                                                                    Function 00408458 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 152COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004045D6: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                                                                                    • wcslen.MSVCRT ref: 004084C2
                                                                                                    • wcsncmp.MSVCRT ref: 00408506
                                                                                                    • memset.MSVCRT ref: 0040859A
                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 004085BE
                                                                                                    • wcschr.MSVCRT ref: 00408612
                                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040863C
                                                                                                      • Part of subcall function 00404780: FreeLibrary.KERNELBASE(?,?), ref: 00404795
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$FreeLibrary$LoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                                                    • String ID: J$Microsoft_WinInet
                                                                                                    • API String ID: 2413121283-260894208
                                                                                                    • Opcode ID: 077bc0f962b90c4b7348f0cf44737b794f9e944ea76e4abc7dc2194eab39edf9
                                                                                                    • Instruction ID: daadb017bf7cdd7d7f2103bea61dec75ef30dccaf082131e005dcc9144427660
                                                                                                    • Opcode Fuzzy Hash: 077bc0f962b90c4b7348f0cf44737b794f9e944ea76e4abc7dc2194eab39edf9
                                                                                                    • Instruction Fuzzy Hash: D55115B1508346AFD720DF65C980A5BB7E8FF89304F00492EF998D3251EB39E918CB56
                                                                                                    Function 00406A1A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00406B39,?,?), ref: 00406A3F
                                                                                                    • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00406B39,?,?), ref: 00406A5D
                                                                                                    • strlen.MSVCRT ref: 00406A6A
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,00406B39,?,?), ref: 00406A7A
                                                                                                    • LocalFree.KERNEL32(?,?,?,00406B39,?,?), ref: 00406A84
                                                                                                    • _mbscpy.MSVCRT(?,Unknown Error,?,?,00406B39,?,?), ref: 00406A94
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                                    • String ID: Unknown Error$netmsg.dll
                                                                                                    • API String ID: 2881943006-572158859
                                                                                                    • Opcode ID: 6f52f5a2d9a4709df10b96865aeabca7128dc0176ffe7e1710966274240e0752
                                                                                                    • Instruction ID: d85fce99d4424776e4d89386e5c8d6134dfcbe96067fcf7c7fc9c3f577b26335
                                                                                                    • Opcode Fuzzy Hash: 6f52f5a2d9a4709df10b96865aeabca7128dc0176ffe7e1710966274240e0752
                                                                                                    • Instruction Fuzzy Hash: 0801F7316001147FEB147B51EC46F9F7E28EB06791F21407AFA06F0091DA795E209AAC
                                                                                                    Function 00404A94 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(comctl32.dll,74DF0A60,?,00000000,?,?,?,0040CC82,74DF0A60), ref: 00404AB3
                                                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404AC5
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CC82,74DF0A60), ref: 00404AD9
                                                                                                    • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B04
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                    • API String ID: 2780580303-317687271
                                                                                                    • Opcode ID: 0605f619fc244978403acb2e7e50909fcfc2fbf3368997ac03ccd37e60a8c8f1
                                                                                                    • Instruction ID: 36f372293bcd99ea712e996d8bb82ea6b99e6deebf99936071b003413e9982ca
                                                                                                    • Opcode Fuzzy Hash: 0605f619fc244978403acb2e7e50909fcfc2fbf3368997ac03ccd37e60a8c8f1
                                                                                                    • Instruction Fuzzy Hash: 860149797516103BEB115BB19C49F7FBAACDB8674AF010035F602F2182DEBCC9018A5D
                                                                                                    Function 004093DD Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406D1F: GetFileAttributesA.KERNELBASE(?,004093E6,?,0040949C,00000000,?,00000000,00000104,?), ref: 00406D23
                                                                                                    • _mbscpy.MSVCRT(00451200,00000000,00000000,00000000,0040949C,00000000,?,00000000,00000104,?), ref: 004093F7
                                                                                                    • _mbscpy.MSVCRT(00451308,general,00451200,00000000,00000000,00000000,0040949C,00000000,?,00000000,00000104,?), ref: 00409407
                                                                                                    • GetPrivateProfileIntA.KERNEL32(00451308,rtl,00000000,00451200), ref: 00409418
                                                                                                      • Part of subcall function 00408FE9: GetPrivateProfileStringA.KERNEL32(00451308,?,0044551F,00451358,?,00451200), ref: 00409004
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                    • API String ID: 888011440-2039793938
                                                                                                    • Opcode ID: 24ae1597cccf157e84aceca8fe92e39611a3c2f2b7ab4c482bf00d98a5b7e0b9
                                                                                                    • Instruction ID: 0b3e14b162d046b550c41b249f06feb679facb3af2f7b05e7ff0b413a15a09bb
                                                                                                    • Opcode Fuzzy Hash: 24ae1597cccf157e84aceca8fe92e39611a3c2f2b7ab4c482bf00d98a5b7e0b9
                                                                                                    • Instruction Fuzzy Hash: C6F09621F8435136FB203B325C03F2E29488BD2F56F1640BFBD08B65D3DAAD8811559E
                                                                                                    Function 0042DF2E Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • cannot ATTACH database within transaction, xrefs: 0042DFAC
                                                                                                    • unable to open database: %s, xrefs: 0042E21C
                                                                                                    • database %s is already in use, xrefs: 0042E014
                                                                                                    • too many attached databases - max %d, xrefs: 0042DF97
                                                                                                    • database is already attached, xrefs: 0042E0DD
                                                                                                    • out of memory, xrefs: 0042E235
                                                                                                    • attached databases must use the same text encoding as main database, xrefs: 0042E12C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset
                                                                                                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                    • API String ID: 1297977491-2001300268
                                                                                                    • Opcode ID: 6ddab01290ce87d8ebd2da98a857a844c731627c1ed98d62f1e76250c556fc69
                                                                                                    • Instruction ID: c7e7a29d1825d2e945301ab40bb758a3ed070f64a4837571caa387bbb47581b8
                                                                                                    • Opcode Fuzzy Hash: 6ddab01290ce87d8ebd2da98a857a844c731627c1ed98d62f1e76250c556fc69
                                                                                                    • Instruction Fuzzy Hash: BFA1BC70608311DFD720DF2AE441A6BBBE4BF88318F54492FF48987252D778E945CB9A
                                                                                                    Function 00409989 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409999,?,?,00000000,74DF0A60,?,00000000), ref: 004097AB
                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409999,?,?,00000000,74DF0A60,?,00000000), ref: 004097B9
                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409999,?,?,00000000,74DF0A60,?,00000000), ref: 004097CA
                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409999,?,?,00000000,74DF0A60,?,00000000), ref: 004097E1
                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409999,?,?,00000000,74DF0A60,?,00000000), ref: 004097EA
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00000000,74DF0A60,?,00000000), ref: 004099C0
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,00000000,74DF0A60,?,00000000), ref: 004099DC
                                                                                                    • memcpy.MSVCRT(?,00450728,00000014,?,?,00000000,74DF0A60), ref: 00409A04
                                                                                                    • memcpy.MSVCRT(?,00450714,00000010,?,00450728,00000014,?,?,00000000,74DF0A60), ref: 00409A21
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,00000000,74DF0A60), ref: 00409AAA
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,?,?,?,?,00000000,74DF0A60), ref: 00409AB4
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,00000000,74DF0A60), ref: 00409AEC
                                                                                                      • Part of subcall function 00408B27: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408BF0
                                                                                                      • Part of subcall function 00408B27: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,74DF0A60), ref: 00408C2F
                                                                                                      • Part of subcall function 00408B27: _mbscpy.MSVCRT(00451308,strings,?,?,00409A4F,?,?,?,?,?,00000000,74DF0A60), ref: 00408BA2
                                                                                                      • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                                                                                    • String ID: $$d
                                                                                                    • API String ID: 2915808112-2066904009
                                                                                                    • Opcode ID: 75ce2435382999355ee7df4bce0b38d23defbf10d882b0e19774d56c0a5fb620
                                                                                                    • Instruction ID: c499689f9fa1b304e99f77f7c015d52b7a22264b22564a6ed79451bf6b5d1632
                                                                                                    • Opcode Fuzzy Hash: 75ce2435382999355ee7df4bce0b38d23defbf10d882b0e19774d56c0a5fb620
                                                                                                    • Instruction Fuzzy Hash: A6513B71601704AFD724DF69C582B9AB7F4BF48354F10892EE65ADB282EB74A940CF44
                                                                                                    Function 00403158 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040312A: GetPrivateProfileStringA.KERNEL32(00000000,?,0044551F,?,?,?), ref: 0040314E
                                                                                                    • strchr.MSVCRT ref: 0040326D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileStringstrchr
                                                                                                    • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                    • API String ID: 1348940319-1729847305
                                                                                                    • Opcode ID: 744f29d2d2deae3fb126fd39ba5d775996f393179d4ac578be52819d2814d06a
                                                                                                    • Instruction ID: ebc3817507c74d0428b70d6b21ed795ce2a60aa758e9561c8f94ff6eeee5590f
                                                                                                    • Opcode Fuzzy Hash: 744f29d2d2deae3fb126fd39ba5d775996f393179d4ac578be52819d2814d06a
                                                                                                    • Instruction Fuzzy Hash: 4A318F7090420ABEEF219F60CC45BD9BFACEF14319F10816AF9587A1D2D7B89B948B54
                                                                                                    Function 0041096F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040A919,?,?), ref: 0041099F
                                                                                                    • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040A919,?,?), ref: 004109C5
                                                                                                    • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040A919,?,?), ref: 004109DD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                    • Opcode ID: 5f1fb5d69f7b5319dba649b4cfeeb14085fd9f05635fb8ab0532745b2c558304
                                                                                                    • Instruction ID: 3875996c88d7773ad821c0e973cab4ee718d2e20412430da402bf8ed1fec6725
                                                                                                    • Opcode Fuzzy Hash: 5f1fb5d69f7b5319dba649b4cfeeb14085fd9f05635fb8ab0532745b2c558304
                                                                                                    • Instruction Fuzzy Hash: DF01D4F7EE469869FB3100094C23FEB4A8947A7720F360027F98525283A0CD0CD3429F
                                                                                                    Function 00405E41 Relevance: 13.6, APIs: 9, Instructions: 58windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClientRect.USER32(?,?), ref: 00405E58
                                                                                                    • GetWindow.USER32(?,00000005), ref: 00405E70
                                                                                                    • GetWindow.USER32(00000000), ref: 00405E73
                                                                                                      • Part of subcall function 004015AF: GetWindowRect.USER32(?,?), ref: 004015BE
                                                                                                      • Part of subcall function 004015AF: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004015D9
                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 00405E7F
                                                                                                    • GetDlgItem.USER32(?,000003ED), ref: 00405E96
                                                                                                    • GetDlgItem.USER32(?,00000000), ref: 00405EA8
                                                                                                    • GetDlgItem.USER32(?,00000000), ref: 00405EBA
                                                                                                    • GetDlgItem.USER32(?,000003ED), ref: 00405EC8
                                                                                                    • SetFocus.USER32(00000000), ref: 00405ECB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Item$Rect$ClientFocusPoints
                                                                                                    • String ID:
                                                                                                    • API String ID: 2432066023-0
                                                                                                    • Opcode ID: 859c870cb1f45ac1f52eef33470e4ab1ec2daf0450f8b20d97580b530be0d20d
                                                                                                    • Instruction ID: 4031fba040b0e189dacc9fafa17b87c2e22a92f85e78ae2064a779fcc19fa509
                                                                                                    • Opcode Fuzzy Hash: 859c870cb1f45ac1f52eef33470e4ab1ec2daf0450f8b20d97580b530be0d20d
                                                                                                    • Instruction Fuzzy Hash: AE01E571500708AFDB112B62DC89E6BBFACEF81324F11442BF5449B252DBB8E8008E28
                                                                                                    Function 0040F2E4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406E4C: GetVersionExA.KERNEL32(00451168,0000001A,00410749,00000104), ref: 00406E66
                                                                                                    • memset.MSVCRT ref: 0040F396
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040F3AD
                                                                                                    • _strnicmp.MSVCRT ref: 0040F3C7
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040F3F3
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040F413
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                    • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                    • API String ID: 945165440-3589380929
                                                                                                    • Opcode ID: d3537b1fcb66bcdc9fcff810ba9b7ca2134040b22c3a5e9a54c7dacba821f27a
                                                                                                    • Instruction ID: 060cf85e61608373f285e6b38907096c177b9006a2a87b36be12541c3eea0e32
                                                                                                    • Opcode Fuzzy Hash: d3537b1fcb66bcdc9fcff810ba9b7ca2134040b22c3a5e9a54c7dacba821f27a
                                                                                                    • Instruction Fuzzy Hash: 034157B1408345AFD720DF24D88496BBBE8FB95314F004A3EF995A3691D734ED48CB66
                                                                                                    Function 004036D7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004101D8: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 004101EF
                                                                                                      • Part of subcall function 004101D8: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 004101FC
                                                                                                      • Part of subcall function 004101D8: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00410238
                                                                                                      • Part of subcall function 004101D8: CoTaskMemFree.COMBASE(?), ref: 00410247
                                                                                                    • strchr.MSVCRT ref: 00403711
                                                                                                    • _mbscpy.MSVCRT(?,00000001,?,?,?), ref: 0040373A
                                                                                                    • _mbscpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 0040374A
                                                                                                    • strlen.MSVCRT ref: 0040376A
                                                                                                    • sprintf.MSVCRT ref: 0040378E
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 004037A4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                                                    • String ID: %s@gmail.com
                                                                                                    • API String ID: 3261640601-4097000612
                                                                                                    • Opcode ID: 1857ba01284e3ef5fad87af133785b5aa375f57696c97bdc8e280aa674fe1889
                                                                                                    • Instruction ID: 72ede288a24c3b6660e37d3abac1967f853eec84a0165e1bcd054a17ec7f23cd
                                                                                                    • Opcode Fuzzy Hash: 1857ba01284e3ef5fad87af133785b5aa375f57696c97bdc8e280aa674fe1889
                                                                                                    • Instruction Fuzzy Hash: 6F21ABF290411C6AEB11DB54DCC5FDAB7BCAB54308F0445AFF609E2181DA789B888B65
                                                                                                    Function 00409213 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00409239
                                                                                                    • GetDlgCtrlID.USER32(?), ref: 00409244
                                                                                                    • GetWindowTextA.USER32(?,?,00001000), ref: 00409257
                                                                                                    • memset.MSVCRT ref: 0040927D
                                                                                                    • GetClassNameA.USER32(?,?,000000FF), ref: 00409290
                                                                                                    • _strcmpi.MSVCRT ref: 004092A2
                                                                                                      • Part of subcall function 004090EB: _itoa.MSVCRT ref: 0040910C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                    • String ID: sysdatetimepick32
                                                                                                    • API String ID: 3411445237-4169760276
                                                                                                    • Opcode ID: 2263deae77ad64fe6a337343bfeab9347d6a54f7c053bec4a710b54e1cc46990
                                                                                                    • Instruction ID: a0e2247af9db09d92512eaab276e72a1f93a19cb85935bad7b90667d70954a25
                                                                                                    • Opcode Fuzzy Hash: 2263deae77ad64fe6a337343bfeab9347d6a54f7c053bec4a710b54e1cc46990
                                                                                                    • Instruction Fuzzy Hash: 32110A728050187FEB119754DC41EEB77ACEF55301F0000FBFA04E2142EAB48E848B64
                                                                                                    Function 00405972 Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A1A
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A2D
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A42
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A5A
                                                                                                    • EndDialog.USER32(?,00000002), ref: 00405A76
                                                                                                    • EndDialog.USER32(?,00000001), ref: 00405A89
                                                                                                      • Part of subcall function 00405723: GetDlgItem.USER32(?,000003E9), ref: 00405731
                                                                                                      • Part of subcall function 00405723: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405746
                                                                                                      • Part of subcall function 00405723: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405762
                                                                                                    • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AA1
                                                                                                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BAD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Item$DialogMessageSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 2485852401-0
                                                                                                    • Opcode ID: 6705b758d8a8385fcf126e2abef302c8a68af69db22d8c06dbb4b6141a6eddaf
                                                                                                    • Instruction ID: 8242765b3035aad42ded22ad072fa167e05c4db834e8c53cb5a522b966aec9bd
                                                                                                    • Opcode Fuzzy Hash: 6705b758d8a8385fcf126e2abef302c8a68af69db22d8c06dbb4b6141a6eddaf
                                                                                                    • Instruction Fuzzy Hash: DC619E70200A05AFDB21AF25C8C6A2BB7A5FF44724F00C23AF955A76D1E778A950CF95
                                                                                                    Function 0040B0EB Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B138
                                                                                                    • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B16D
                                                                                                    • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B1A2
                                                                                                    • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B1BE
                                                                                                    • GetSysColor.USER32(0000000F), ref: 0040B1CE
                                                                                                    • DeleteObject.GDI32(?), ref: 0040B202
                                                                                                    • DeleteObject.GDI32(00000000), ref: 0040B205
                                                                                                    • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B223
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                    • String ID:
                                                                                                    • API String ID: 3642520215-0
                                                                                                    • Opcode ID: 3b8b596084a258e6a3d6c587c6e164043eee07433b393cce24ea64cb7095e9ca
                                                                                                    • Instruction ID: 035281c2cfb68a6c78eb86e81ad7e7fbca9e62364f8fd823d381b3cb5a7ebbdd
                                                                                                    • Opcode Fuzzy Hash: 3b8b596084a258e6a3d6c587c6e164043eee07433b393cce24ea64cb7095e9ca
                                                                                                    • Instruction Fuzzy Hash: B7318175280708BFFA316B709C47FD6B795EB48B01F104829F3856A1E2CAF278909B58
                                                                                                    Function 00405BBD Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405BCE
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405BEA
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00405C11
                                                                                                    • memset.MSVCRT ref: 00405C22
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C51
                                                                                                    • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405C9E
                                                                                                    • SetFocus.USER32(?,?,?,?), ref: 00405CA7
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00405CB5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2313361498-0
                                                                                                    • Opcode ID: 67f10acdfa4a8f43cc395e899afe5d23da730d96d34ea9f640f3fd50956f6045
                                                                                                    • Instruction ID: 8a5161a197c3c11310b51994d494e99affbcf27179d68dd4cd1e15cf4b4d4d3b
                                                                                                    • Opcode Fuzzy Hash: 67f10acdfa4a8f43cc395e899afe5d23da730d96d34ea9f640f3fd50956f6045
                                                                                                    • Instruction Fuzzy Hash: 0431B471500605AFEB249F69C845D2AF7A8FF043547148A3FF219E72A1DB78EC508B54
                                                                                                    Function 0040690E Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 85stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00406930
                                                                                                    • strlen.MSVCRT ref: 0040693B
                                                                                                    • strlen.MSVCRT ref: 0040699D
                                                                                                    • strlen.MSVCRT ref: 004069AB
                                                                                                    • strlen.MSVCRT ref: 00406949
                                                                                                      • Part of subcall function 00406E81: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,0040210D,00000000,nss3.dll), ref: 00406E89
                                                                                                      • Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: strlen$_mbscat_mbscpymemset
                                                                                                    • String ID: C@$key3.db$key4.db
                                                                                                    • API String ID: 581844971-2841947474
                                                                                                    • Opcode ID: 4cd6a97c6f09c36a5fb0adc4592fb996ab353a14a314023ffd691876fe9db25d
                                                                                                    • Instruction ID: 276f595f6d9fb14d306b90d89522efda4e53a8973e3769554d2ee0aec37c6aae
                                                                                                    • Opcode Fuzzy Hash: 4cd6a97c6f09c36a5fb0adc4592fb996ab353a14a314023ffd691876fe9db25d
                                                                                                    • Instruction Fuzzy Hash: 5D21F9729041196ADF10AA66DC41FCE77ACDF11319F1100BBF40DF6091EE38DA958668
                                                                                                    Function 0040B86F Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClientRect.USER32(?,?), ref: 0040B88E
                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040B8A4
                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040B8B7
                                                                                                    • BeginDeferWindowPos.USER32(00000003), ref: 0040B8D4
                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040B8F1
                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040B911
                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040B938
                                                                                                    • EndDeferWindowPos.USER32(?), ref: 0040B941
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Defer$Rect$BeginClient
                                                                                                    • String ID:
                                                                                                    • API String ID: 2126104762-0
                                                                                                    • Opcode ID: f6309ff644c12743b91cf70e9e807ca9d204e09485dec5c7f95147756245f13c
                                                                                                    • Instruction ID: cf9ea3ecf4623016fd9dc3f5f3f1318dd3ce101ba80f5eccba740e206150479f
                                                                                                    • Opcode Fuzzy Hash: f6309ff644c12743b91cf70e9e807ca9d204e09485dec5c7f95147756245f13c
                                                                                                    • Instruction Fuzzy Hash: F221C276A00609FFDF118FA8DD89FEEBBB9FB08700F104065FA55A2160C7716A519F24
                                                                                                    Function 00407065 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemMetrics.USER32(00000011), ref: 00407076
                                                                                                    • GetSystemMetrics.USER32(00000010), ref: 0040707C
                                                                                                    • GetDC.USER32(00000000), ref: 0040708A
                                                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040709C
                                                                                                    • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 004070A5
                                                                                                    • ReleaseDC.USER32(00000000,004012E4), ref: 004070AE
                                                                                                    • GetWindowRect.USER32(004012E4,?), ref: 004070BB
                                                                                                    • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407100
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 1999381814-0
                                                                                                    • Opcode ID: 9f21f5323b7ceedafff5760536b34980224d30b32341e91405141b8b8f897059
                                                                                                    • Instruction ID: 4d379cb21657894a0e11cf9a22620d5233689a1bec75a9944306807f4dd79964
                                                                                                    • Opcode Fuzzy Hash: 9f21f5323b7ceedafff5760536b34980224d30b32341e91405141b8b8f897059
                                                                                                    • Instruction Fuzzy Hash: 8F11B735E00619AFDF108FB8CC49BAF7F79EB45351F040135EE01E7291DA70A9048A91
                                                                                                    Function 004258DC Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 438COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset
                                                                                                    • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                    • API String ID: 1297977491-3883738016
                                                                                                    • Opcode ID: ec180b53c73d386f260fbd60f4e29b72e3bb9c2a6b5e225ae3417af3491c72e6
                                                                                                    • Instruction ID: fc76bc8343265493366407fdb1c4d707e5d8df4650a3499163c8513785776b89
                                                                                                    • Opcode Fuzzy Hash: ec180b53c73d386f260fbd60f4e29b72e3bb9c2a6b5e225ae3417af3491c72e6
                                                                                                    • Instruction Fuzzy Hash: 64128B71A04629DFDB14CF69E481AADBBB1FF08314F54419AE805AB341D738B982CF99
                                                                                                    Function 00411C4E Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __aulldvrm$__aullrem
                                                                                                    • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                                                                    • API String ID: 643879872-978417875
                                                                                                    • Opcode ID: 73e90253892cd7d40fca50a1c2c0480d43455e5e9d4f7039f07d8d475e9bdb23
                                                                                                    • Instruction ID: 6ef1093ec9221891fb8685c47ab9d8627f9f8a7ffe3427591e5c2e9f96174410
                                                                                                    • Opcode Fuzzy Hash: 73e90253892cd7d40fca50a1c2c0480d43455e5e9d4f7039f07d8d475e9bdb23
                                                                                                    • Instruction Fuzzy Hash: A5617C316083819FD7118F2885407ABBBE1AFC6704F18495FFAC497362D379D9898B8A
                                                                                                    Function 0040D7EA Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040D80B
                                                                                                    • memset.MSVCRT ref: 0040D81F
                                                                                                    • memset.MSVCRT ref: 0040D833
                                                                                                      • Part of subcall function 004075CB: strlen.MSVCRT ref: 004075DD
                                                                                                      • Part of subcall function 004075CB: strlen.MSVCRT ref: 004075E5
                                                                                                      • Part of subcall function 004075CB: _memicmp.MSVCRT ref: 00407603
                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040D900
                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040D943
                                                                                                    • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040D960
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset$strlen$_memicmp
                                                                                                    • String ID: user_pref("
                                                                                                    • API String ID: 765841271-2487180061
                                                                                                    • Opcode ID: 777c9b1d5c10141c84c66f8e8958f505523dc243aa3c87cc0ca79b4f1c0a5fbb
                                                                                                    • Instruction ID: 5a65487526c3994ab00424e18f338503154a615df115d4cfef8f26f9df640fc7
                                                                                                    • Opcode Fuzzy Hash: 777c9b1d5c10141c84c66f8e8958f505523dc243aa3c87cc0ca79b4f1c0a5fbb
                                                                                                    • Instruction Fuzzy Hash: 7F419AB6904118AEDB10DB95DC81FDA77AC9F44314F1042FBE605F7181EA38AF498FA9
                                                                                                    Function 004057FC Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405813
                                                                                                    • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 0040582C
                                                                                                    • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 00405839
                                                                                                    • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405845
                                                                                                    • memset.MSVCRT ref: 004058AF
                                                                                                    • SendMessageA.USER32(?,00001019,?,?), ref: 004058E0
                                                                                                    • SetFocus.USER32(?), ref: 00405965
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$FocusItemmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 4281309102-0
                                                                                                    • Opcode ID: 876f99dafb0e6a95d69d5b7461b0350726d0b63ba9d27f7b5ed0e67933d6ba92
                                                                                                    • Instruction ID: b1c021a56b4f7756f2b42baa300122e183270d3e6e7f1cb1ff0d1441efe58172
                                                                                                    • Opcode Fuzzy Hash: 876f99dafb0e6a95d69d5b7461b0350726d0b63ba9d27f7b5ed0e67933d6ba92
                                                                                                    • Instruction Fuzzy Hash: 98411BB5D00109AFEB209F95DC81DAEBBB9FF04354F00406AE914B72A1D7759E50CFA4
                                                                                                    Function 0040A596 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                      • Part of subcall function 00406AD1: WriteFile.KERNEL32(00445BB0,00000001,00000000,74DF0A60,00000000,?,?,0040A51A,00000001,00445BB0,74DF0A60), ref: 00406AEB
                                                                                                    • _mbscat.MSVCRT ref: 0040A65B
                                                                                                    • sprintf.MSVCRT ref: 0040A67D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite_mbscatsprintfstrlen
                                                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                    • API String ID: 1631269929-4153097237
                                                                                                    • Opcode ID: 93630de6ff84bb4f90c8eeb8a51633a1034e4670a362103d2fbd0e8697265160
                                                                                                    • Instruction ID: 832b2c653fc05485a7f242a7eb3c8d8175a8ee497f4c95e58b3f18e695e9ea43
                                                                                                    • Opcode Fuzzy Hash: 93630de6ff84bb4f90c8eeb8a51633a1034e4670a362103d2fbd0e8697265160
                                                                                                    • Instruction Fuzzy Hash: AE31AE31900218AFDF15DF94C8869DE7BB5FF45320F10416AFD11BB292DB76AA51CB84
                                                                                                    Function 00407E63 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00407E84
                                                                                                      • Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B
                                                                                                      • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                                                                                      • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                      • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00408018,?,000000FD,00000000,00000000,?,00000000,00408018,?,?,?,?,00000000), ref: 00407F1F
                                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,00000000,75A8EB20,?), ref: 00407F2F
                                                                                                      • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,004107E3,?,?,?,?,004107E3,00000000,?,?), ref: 0041046D
                                                                                                      • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                                                                                      • Part of subcall function 00406CA4: memcpy.MSVCRT(?,00401CA0,00000000,00000000,00401CA0,00000001,00000104,?,?,?,?,?,00000000), ref: 00406CBE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                    • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                    • API String ID: 524865279-2190619648
                                                                                                    • Opcode ID: 38748eb406b67c1af5be44fe8e7f31023f88db47e79a7898202b2d697a30ce1a
                                                                                                    • Instruction ID: 2c282e6ff88bd57be97cdb9cd65414afbc0c2375aa853475002addcb7488d922
                                                                                                    • Opcode Fuzzy Hash: 38748eb406b67c1af5be44fe8e7f31023f88db47e79a7898202b2d697a30ce1a
                                                                                                    • Instruction Fuzzy Hash: 75316075A4025DAFDB11EB69CC81AEEBBBCEF45314F0080B6FA04A3141D6789F498F65
                                                                                                    Function 00409123 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                    • String ID: 0$6
                                                                                                    • API String ID: 2300387033-3849865405
                                                                                                    • Opcode ID: 028127019bd8d5dcd78e2607863079dea8646fd007d697055d123a2cbef6a2b8
                                                                                                    • Instruction ID: 102fedc8b068d714547c44678b24ea6bae60c59159463c21af6927f9d555436f
                                                                                                    • Opcode Fuzzy Hash: 028127019bd8d5dcd78e2607863079dea8646fd007d697055d123a2cbef6a2b8
                                                                                                    • Instruction Fuzzy Hash: B8210F71108380AFE7108F61D889A5FB7E8FB85344F04093FF684A6282E779DD048B5A
                                                                                                    Function 00407446 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00407466
                                                                                                    • sprintf.MSVCRT ref: 00407493
                                                                                                    • strlen.MSVCRT ref: 0040749F
                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 004074B4
                                                                                                    • strlen.MSVCRT ref: 004074C2
                                                                                                    • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 004074D2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpystrlen$memsetsprintf
                                                                                                    • String ID: %s (%s)
                                                                                                    • API String ID: 3756086014-1363028141
                                                                                                    • Opcode ID: 873fc1bbfb6a5d8165db9a561727e61c15b034d285d3a1034200a0b0b8c5b510
                                                                                                    • Instruction ID: 49fd0969a141bf365c85b2e85b726abfc67c7a4f8a3ab277a670c68284d415ec
                                                                                                    • Opcode Fuzzy Hash: 873fc1bbfb6a5d8165db9a561727e61c15b034d285d3a1034200a0b0b8c5b510
                                                                                                    • Instruction Fuzzy Hash: 9A1193B1800118AFEB21DF59CD45F99B7ACEF41308F008466FA48EB106D275AB15CB95
                                                                                                    Function 004101D8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 004101EF
                                                                                                    • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 004101FC
                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00410238
                                                                                                    • CoTaskMemFree.COMBASE(?), ref: 00410247
                                                                                                    Strings
                                                                                                    • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 004101EA
                                                                                                    • 00000000-0000-0000-0000-000000000000, xrefs: 004101F7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                    • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                    • API String ID: 1640410171-3316789007
                                                                                                    • Opcode ID: 47d2852bcb6be23f486a4ed132040bb4fca7e7f7f1bca8e0f8c40ade59038cba
                                                                                                    • Instruction ID: ae29383cbd57fcea5ed56c9c200a46c16443c4e74b3f506479b718b79cf0bdd8
                                                                                                    • Opcode Fuzzy Hash: 47d2852bcb6be23f486a4ed132040bb4fca7e7f7f1bca8e0f8c40ade59038cba
                                                                                                    • Instruction Fuzzy Hash: 1801C43790001CBADF019B94CC40EEB7BACEF4A354F004023FD55D6141E678EA8487A5
                                                                                                    Function 00443683 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,.8D,00443752,?,?,*.oeaccount,.8D,?,00000104), ref: 0044369D
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004436AF
                                                                                                    • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004436BE
                                                                                                      • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                                                                                      • Part of subcall function 00443546: wcslen.MSVCRT ref: 00443559
                                                                                                      • Part of subcall function 00443546: ??2@YAPAXI@Z.MSVCRT(00000001,004436E8,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 00443562
                                                                                                      • Part of subcall function 00443546: WideCharToMultiByte.KERNEL32(00000000,00000000,004436E8,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 0044357B
                                                                                                      • Part of subcall function 00443546: strlen.MSVCRT ref: 004435BE
                                                                                                      • Part of subcall function 00443546: memcpy.MSVCRT(?,00000000,004436E8), ref: 004435D8
                                                                                                      • Part of subcall function 00443546: ??3@YAXPAX@Z.MSVCRT(00000000,004436E8,?,00000000), ref: 0044366B
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004436E9
                                                                                                    • CloseHandle.KERNEL32(?), ref: 004436F3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                    • String ID: .8D
                                                                                                    • API String ID: 1886237854-2881260426
                                                                                                    • Opcode ID: 2fcef2379917d8a12b2531ee488188fbf772f653b84b2ead5df350947d92357f
                                                                                                    • Instruction ID: b4a99ca98ea4b9fd05b978b53b3f03ecc28babd8507da3569ede40c7aa85cfb3
                                                                                                    • Opcode Fuzzy Hash: 2fcef2379917d8a12b2531ee488188fbf772f653b84b2ead5df350947d92357f
                                                                                                    • Instruction Fuzzy Hash: 42012432804248BFEB206F75EC4ED9FBB6CEF46364B10812BF81487261DA358D14CA28
                                                                                                    Function 00408F32 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00408F5D
                                                                                                    • sprintf.MSVCRT ref: 00408F72
                                                                                                      • Part of subcall function 0040900D: memset.MSVCRT ref: 00409031
                                                                                                      • Part of subcall function 0040900D: GetPrivateProfileStringA.KERNEL32(00451308,0000000A,0044551F,?,00001000,00451200), ref: 00409053
                                                                                                      • Part of subcall function 0040900D: _mbscpy.MSVCRT(?,?), ref: 0040906D
                                                                                                    • SetWindowTextA.USER32(?,?), ref: 00408F99
                                                                                                    • EnumChildWindows.USER32(?,Function_00008ED5,00000000), ref: 00408FA9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                    • String ID: caption$dialog_%d
                                                                                                    • API String ID: 2923679083-4161923789
                                                                                                    • Opcode ID: 1e86e4cd2b7fc166d2fddb70bb160afdb17040a320065132b973570f35c994bc
                                                                                                    • Instruction ID: 5193b431d0dc7ecedf7a364b2ddef3fe6b5aec68a3d00ff581056cac6fb231a4
                                                                                                    • Opcode Fuzzy Hash: 1e86e4cd2b7fc166d2fddb70bb160afdb17040a320065132b973570f35c994bc
                                                                                                    • Instruction Fuzzy Hash: 67F0BB745043487FFB129BA0DD06FC97AA8AB08747F0000A6BB44F11E2DBF899908B5E
                                                                                                    Function 00425FE6 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(00000020,?,00000001), ref: 0042603C
                                                                                                    Strings
                                                                                                    • cannot release savepoint - SQL statements in progress, xrefs: 004260EE
                                                                                                    • unknown error, xrefs: 00426E65
                                                                                                    • cannot open savepoint - SQL statements in progress, xrefs: 00426002
                                                                                                    • abort due to ROLLBACK, xrefs: 00427E1B
                                                                                                    • no such savepoint: %s, xrefs: 004260D0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                                                                    • API String ID: 3510742995-3035234601
                                                                                                    • Opcode ID: f891372fe87baf48bda125dec3b2232890a750ac063dfed77912f4c4cabfec4f
                                                                                                    • Instruction ID: 1b592f7810eb55fdfd9c77514c161e0aeb834189807bd0e5c0ad66af0c508e0f
                                                                                                    • Opcode Fuzzy Hash: f891372fe87baf48bda125dec3b2232890a750ac063dfed77912f4c4cabfec4f
                                                                                                    • Instruction Fuzzy Hash: 4CC15B70A04625DFDB18CFA9E485BA9BBB1FF08304F5540AFE405A7392D738A851CF99
                                                                                                    Function 0042AF9D Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 276COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                    • API String ID: 2221118986-3608744896
                                                                                                    • Opcode ID: 25f6d7551ca5451081e928a756deb932952f8e5ad15a22f33089aef5e0cd9e28
                                                                                                    • Instruction ID: 61df25c06be2fd61ed6862701848550dc8e0fb41ea407877f6cf168bc1a83922
                                                                                                    • Opcode Fuzzy Hash: 25f6d7551ca5451081e928a756deb932952f8e5ad15a22f33089aef5e0cd9e28
                                                                                                    • Instruction Fuzzy Hash: B5B16671208311DFD720CF29E580A2BB7E5FF98314F91485EF88587692E738E841CB9A
                                                                                                    Function 00441E91 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(00000058,0044AC70,00000030,?,00000143,00000000,00406678,?), ref: 00441F4B
                                                                                                      • Part of subcall function 00441A6C: memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442034,00000000), ref: 00441AB5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmpmemcpy
                                                                                                    • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                                                                    • API String ID: 1784268899-4153596280
                                                                                                    • Opcode ID: 6b6b8ae9c0e91365de8150e640e5bb5f4ec7e5282d2e56bc441d5ca3420a582e
                                                                                                    • Instruction ID: db602eaa8e833254b0c0c9be43f42c24c685b457dfa8f14c56b0ec28138b2128
                                                                                                    • Opcode Fuzzy Hash: 6b6b8ae9c0e91365de8150e640e5bb5f4ec7e5282d2e56bc441d5ca3420a582e
                                                                                                    • Instruction Fuzzy Hash: 5091E2B1900700AFE730AF25C981A9EBBE5AB44304F14492FF14697392C7B9A985CB59
                                                                                                    Function 0040FB27 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040F7DE,00000000,00000000), ref: 0040FB5E
                                                                                                    • memset.MSVCRT ref: 0040FBBB
                                                                                                    • memset.MSVCRT ref: 0040FBCD
                                                                                                      • Part of subcall function 0040FA44: _mbscpy.MSVCRT(?,-00000001), ref: 0040FA6A
                                                                                                    • memset.MSVCRT ref: 0040FCB4
                                                                                                    • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 0040FCD9
                                                                                                    • CloseHandle.KERNEL32(00000000,0040F7DE,?), ref: 0040FD23
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 3974772901-0
                                                                                                    • Opcode ID: e3e035998a686eac936ab22a4359b8e37823d0ec61e8259700ca388e65ff3bfe
                                                                                                    • Instruction ID: 4cd0dab2c11de29b1205cc267bdcfe4bbed2ca853fb67bca61950d18440e6937
                                                                                                    • Opcode Fuzzy Hash: e3e035998a686eac936ab22a4359b8e37823d0ec61e8259700ca388e65ff3bfe
                                                                                                    • Instruction Fuzzy Hash: 79511EB590021CABDB60DF95DD85ADEBBB8FF44305F1000BAE609A2281D7759E84CF69
                                                                                                    Function 00443546 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcslen.MSVCRT ref: 00443559
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001,004436E8,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 00443562
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004436E8,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 0044357B
                                                                                                      • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044358C,?,004436E8,?,00000000), ref: 0044288D
                                                                                                      • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044358C,?,004436E8,?,00000000), ref: 004428AB
                                                                                                      • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044358C,?,004436E8,?,00000000), ref: 004428C6
                                                                                                      • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044358C,?,004436E8,?,00000000), ref: 004428EF
                                                                                                      • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044358C,?,004436E8,?,00000000), ref: 00442913
                                                                                                    • strlen.MSVCRT ref: 004435BE
                                                                                                      • Part of subcall function 004429E9: ??3@YAXPAX@Z.MSVCRT(?,?,004435CC), ref: 004429F4
                                                                                                      • Part of subcall function 004429E9: ??2@YAPAXI@Z.MSVCRT(00000001,?,004435CC), ref: 00442A03
                                                                                                    • memcpy.MSVCRT(?,00000000,004436E8), ref: 004435D8
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,004436E8,?,00000000), ref: 0044366B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 577244452-0
                                                                                                    • Opcode ID: 6495cd33ebcb4b50e212062b2c0326f5f81c45711c688d8e0033c2477c8603ee
                                                                                                    • Instruction ID: ed198900897cbedb477538fc3de06edee324e7a25cf08c3aedaf46951cf6a217
                                                                                                    • Opcode Fuzzy Hash: 6495cd33ebcb4b50e212062b2c0326f5f81c45711c688d8e0033c2477c8603ee
                                                                                                    • Instruction Fuzzy Hash: 14318672804219AFEF21EF65C8819DEBBB5EF45314F5480AAF108A3200CB396F84DF49
                                                                                                    Function 00404469 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                                                                                      • Part of subcall function 00406CA4: memcpy.MSVCRT(?,00401CA0,00000000,00000000,00401CA0,00000001,00000104,?,?,?,?,?,00000000), ref: 00406CBE
                                                                                                    • _strcmpi.MSVCRT ref: 004044FA
                                                                                                    • _strcmpi.MSVCRT ref: 00404518
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _strcmpi$memcpystrlen
                                                                                                    • String ID: imap$pop3$smtp
                                                                                                    • API String ID: 2025310588-821077329
                                                                                                    • Opcode ID: 8c24a990bd80c02794b9e2039fef12db41580770a980123b25ad20a48f8d51f9
                                                                                                    • Instruction ID: ee17be80c36da3591ff53c386c7625c128025028662cc5e87d89578f4f8b6d75
                                                                                                    • Opcode Fuzzy Hash: 8c24a990bd80c02794b9e2039fef12db41580770a980123b25ad20a48f8d51f9
                                                                                                    • Instruction Fuzzy Hash: C42196B25046189BEB51DB15CD417DAB3FCEF90304F10006BE79AB7181DB787B498B59
                                                                                                    Function 0040BD68 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040BD88
                                                                                                      • Part of subcall function 00408B27: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408BF0
                                                                                                      • Part of subcall function 00408B27: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,74DF0A60), ref: 00408C2F
                                                                                                      • Part of subcall function 00408B27: _mbscpy.MSVCRT(00451308,strings,?,?,00409A4F,?,?,?,?,?,00000000,74DF0A60), ref: 00408BA2
                                                                                                      • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                                                                                      • Part of subcall function 00407446: memset.MSVCRT ref: 00407466
                                                                                                      • Part of subcall function 00407446: sprintf.MSVCRT ref: 00407493
                                                                                                      • Part of subcall function 00407446: strlen.MSVCRT ref: 0040749F
                                                                                                      • Part of subcall function 00407446: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 004074B4
                                                                                                      • Part of subcall function 00407446: strlen.MSVCRT ref: 004074C2
                                                                                                      • Part of subcall function 00407446: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 004074D2
                                                                                                      • Part of subcall function 00407279: _mbscpy.MSVCRT(?,?), ref: 004072DF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                    • API String ID: 2726666094-3614832568
                                                                                                    • Opcode ID: b288ec7bca60fb1d5affba5d04cd1bcc9a0d0005558db0f804adbfe3bfda307d
                                                                                                    • Instruction ID: 9cc38d581f61d2a6594629c27ef9ad5a8c62d4d42b688fbaa09f609bba3e4d8d
                                                                                                    • Opcode Fuzzy Hash: b288ec7bca60fb1d5affba5d04cd1bcc9a0d0005558db0f804adbfe3bfda307d
                                                                                                    • Instruction Fuzzy Hash: 0121FBB1C002599ADB40EFA5D981BDDBBB4AB08308F10517EF548B6281DB382A45CB9E
                                                                                                    Function 00403A53 Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00403A78
                                                                                                    • memset.MSVCRT ref: 00403A91
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AA8
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AC7
                                                                                                    • strlen.MSVCRT ref: 00403AD9
                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AEA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1786725549-0
                                                                                                    • Opcode ID: 02e0e514b43461fd7f4aa61425be211fa1e164091b4d1c305689ae28f2153cbf
                                                                                                    • Instruction ID: 3c11530c7ff43e2cab0ee1a3c4b7d34204fc8064c5823527b9b114d7af9e1f20
                                                                                                    • Opcode Fuzzy Hash: 02e0e514b43461fd7f4aa61425be211fa1e164091b4d1c305689ae28f2153cbf
                                                                                                    • Instruction Fuzzy Hash: 50112DBA80412CBFFB10AB94DC85EEBB3ADEF09355F0001A6B715D2092D6359F548B78
                                                                                                    Function 0040BE9E Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTempPathA.KERNEL32(00000104,?), ref: 0040BEB8
                                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040BECA
                                                                                                    • GetTempFileNameA.KERNEL32(?,00446634,00000000,?), ref: 0040BEEC
                                                                                                    • OpenClipboard.USER32(?), ref: 0040BF0C
                                                                                                    • GetLastError.KERNEL32 ref: 0040BF25
                                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 0040BF42
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 2014771361-0
                                                                                                    • Opcode ID: f1e64fb6be10128bbee6f3e595a742589036f7cac5447e39c680a47d04657e65
                                                                                                    • Instruction ID: 907fbb9bc954c15d9eb0ad6f98a85717611d4d669dd49ad048df0fde8b6b2f4b
                                                                                                    • Opcode Fuzzy Hash: f1e64fb6be10128bbee6f3e595a742589036f7cac5447e39c680a47d04657e65
                                                                                                    • Instruction Fuzzy Hash: 5B11A1B6900218ABDF20AB61DC49FDB77BCAB11701F0000B6B685E2092DBB499C48F68
                                                                                                    Function 00406113 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcmp.MSVCRT(00000000,0044FE98,00000010,00000000,?,00406246,?,?,?,004068F5,?), ref: 00406129
                                                                                                      • Part of subcall function 00406057: memcmp.MSVCRT(?,00406144,00000004,000000FF), ref: 00406075
                                                                                                      • Part of subcall function 00406057: memcpy.MSVCRT(0000034F,?,?,?), ref: 004060A4
                                                                                                      • Part of subcall function 00406057: memcpy.MSVCRT(-00000251,?,00000060,0000034F,?,?,?), ref: 004060B9
                                                                                                    • memcmp.MSVCRT(00000000,password-check,0000000E,00000000,?,00406246,?,?,?,004068F5,?), ref: 00406154
                                                                                                    • memcmp.MSVCRT(00000000,global-salt,0000000B,00000000,?,00406246,?,?,?,004068F5,?), ref: 0040617C
                                                                                                    • memcpy.MSVCRT(0000022E,?,?), ref: 00406199
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmp$memcpy
                                                                                                    • String ID: global-salt$password-check
                                                                                                    • API String ID: 231171946-3927197501
                                                                                                    • Opcode ID: e64782263ff5605526e0fe757cea6ed3191f710ccf3b0afa5e67e353afe61262
                                                                                                    • Instruction ID: 655c6eb068c7835b63414ef3c9938ae25085d91347c247b77763f6b5778615a8
                                                                                                    • Opcode Fuzzy Hash: e64782263ff5605526e0fe757cea6ed3191f710ccf3b0afa5e67e353afe61262
                                                                                                    • Instruction Fuzzy Hash: E301D8B954070466FF202A628C42B8B37585F51758F024137FD067D2D3E37E87748A4E
                                                                                                    Function 00442960 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,0044367C,004436E8,?,00000000), ref: 0044296E
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044367C,004436E8,?,00000000), ref: 00442989
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044367C,004436E8,?,00000000), ref: 0044299F
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044367C,004436E8,?,00000000), ref: 004429B5
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044367C,004436E8,?,00000000), ref: 004429CB
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044367C,004436E8,?,00000000), ref: 004429E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@
                                                                                                    • String ID:
                                                                                                    • API String ID: 613200358-0
                                                                                                    • Opcode ID: 33a709933cc1d98ec9c95bf11c500b91000fb84470604cd49e86d2fddc1fd406
                                                                                                    • Instruction ID: 5b630ca211e00ee6ab232d4f5fe81ba50f7f923f282134244f429d4b925a3085
                                                                                                    • Opcode Fuzzy Hash: 33a709933cc1d98ec9c95bf11c500b91000fb84470604cd49e86d2fddc1fd406
                                                                                                    • Instruction Fuzzy Hash: 7501A272E0AD31A7E1257A76554135BE3686F04B29F05024FB904772428B6C7C5445DE
                                                                                                    Function 00401693 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClientRect.USER32(?,?), ref: 004016A2
                                                                                                    • GetSystemMetrics.USER32(00000015), ref: 004016B0
                                                                                                    • GetSystemMetrics.USER32(00000014), ref: 004016BC
                                                                                                    • BeginPaint.USER32(?,?), ref: 004016D6
                                                                                                    • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E5
                                                                                                    • EndPaint.USER32(?,?), ref: 004016F2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                    • String ID:
                                                                                                    • API String ID: 19018683-0
                                                                                                    • Opcode ID: d93d450dc478f7866c229f4a037813e0caab4cabbf567c971482d52d831a5164
                                                                                                    • Instruction ID: 724a62348f30ed3062fc78c586e299175c66965872e24402369681ac2eeab922
                                                                                                    • Opcode Fuzzy Hash: d93d450dc478f7866c229f4a037813e0caab4cabbf567c971482d52d831a5164
                                                                                                    • Instruction Fuzzy Hash: 0701FB76900619AFDF04DFA8DC499FE7BBDFB45301F00046AEA11AB295DAB1A914CF90
                                                                                                    Function 0040C319 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DestroyWindow.USER32(?), ref: 0040C352
                                                                                                    • SetFocus.USER32(?,?,?), ref: 0040C3F8
                                                                                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 0040C4F5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DestroyFocusInvalidateRectWindow
                                                                                                    • String ID: XgD$rY@
                                                                                                    • API String ID: 3502187192-1347721759
                                                                                                    • Opcode ID: 5c78a1ecd43bd4835c24ecfbdc30f3a6dc3cc59a809a6a48b47028dbbb114125
                                                                                                    • Instruction ID: f774ea8d8eb1800fd2ad86f321479c1d669f6cdc6fcff53b53818c93aeeaee42
                                                                                                    • Opcode Fuzzy Hash: 5c78a1ecd43bd4835c24ecfbdc30f3a6dc3cc59a809a6a48b47028dbbb114125
                                                                                                    • Instruction Fuzzy Hash: 6F518630A04701DBCB34BB658885D9AB3E0BF51724F44C63FF4656B2E2C779A9818B8D
                                                                                                    Function 004062D9 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00406376
                                                                                                    • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406389
                                                                                                    • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 0040639C
                                                                                                      • Part of subcall function 00404883: memset.MSVCRT ref: 004048BD
                                                                                                      • Part of subcall function 00404883: memset.MSVCRT ref: 004048D1
                                                                                                      • Part of subcall function 00404883: memset.MSVCRT ref: 004048E5
                                                                                                      • Part of subcall function 00404883: memcpy.MSVCRT(?,00406546,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048F7
                                                                                                      • Part of subcall function 00404883: memcpy.MSVCRT(?,00406546,?,?,00406546,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 00404909
                                                                                                    • memcpy.MSVCRT(?,?,00000014,?,00000040,00406546,00000060,?,?,?,00000040,00406546,?,?,?), ref: 004063E0
                                                                                                    • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004063F3
                                                                                                    • memcpy.MSVCRT(?,?,00000014,?,00000040,00406546,?,?,?,?,?,?,?,?,?), ref: 00406420
                                                                                                    • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 00406435
                                                                                                      • Part of subcall function 0040625B: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 00406287
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 438689982-0
                                                                                                    • Opcode ID: c11b14cc7bfefcbecd474d69538c451392e9e517f6ba4719ba6800d6460efb6e
                                                                                                    • Instruction ID: a962c966a65fcbb98db0a5903e2df7d2d9caef1a51b72161af640e80cc8fe1a9
                                                                                                    • Opcode Fuzzy Hash: c11b14cc7bfefcbecd474d69538c451392e9e517f6ba4719ba6800d6460efb6e
                                                                                                    • Instruction Fuzzy Hash: 744140B290050DBEEB51DAE8CC41EEFBB7CAB4C704F004476F704F6051E635AA598BA6
                                                                                                    Function 00443E22 Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00443E43
                                                                                                    • memset.MSVCRT ref: 00443E5C
                                                                                                    • memset.MSVCRT ref: 00443E70
                                                                                                      • Part of subcall function 00443946: strlen.MSVCRT ref: 00443953
                                                                                                    • strlen.MSVCRT ref: 00443E8C
                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,0040380C,00000000), ref: 00443EB1
                                                                                                    • memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,0040380C,00000000), ref: 00443EC7
                                                                                                      • Part of subcall function 0040CF27: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00443EE6,?,?,?,00000008,?,00000000,00000000), ref: 0040CFB8
                                                                                                      • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFE4
                                                                                                      • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFFA
                                                                                                      • Part of subcall function 0040CFC5: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040380C,00000000), ref: 0040D031
                                                                                                      • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D03B
                                                                                                    • memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 00443F07
                                                                                                      • Part of subcall function 0040CF27: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00443EE6,?,?,?,00000008,?,00000000,00000000), ref: 0040CF6A
                                                                                                      • Part of subcall function 0040CF27: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00443EE6,?,?,?,00000008,?,00000000,00000000), ref: 0040CF94
                                                                                                      • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D00C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset$strlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2142929671-0
                                                                                                    • Opcode ID: d19852d319e1135bccf48aa512861ebe6c3c543c4e9f8cc6032cb3d7aa087c0c
                                                                                                    • Instruction ID: 7aa756fa7cbdb75c5c05895f31091f080fe59031f56f6a961c38bdf577465876
                                                                                                    • Opcode Fuzzy Hash: d19852d319e1135bccf48aa512861ebe6c3c543c4e9f8cc6032cb3d7aa087c0c
                                                                                                    • Instruction Fuzzy Hash: 5D513BB290011EAADB10EF55CC81AEEB3B9BF44218F5445BAE509E7141EB34AB49CF94
                                                                                                    Function 00408B27 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _mbscpy.MSVCRT(00451308,strings,?,?,00409A4F,?,?,?,?,?,00000000,74DF0A60), ref: 00408BA2
                                                                                                      • Part of subcall function 00408FB1: _itoa.MSVCRT ref: 00408FD2
                                                                                                    • strlen.MSVCRT ref: 00408BC0
                                                                                                    • LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408BF0
                                                                                                    • memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,74DF0A60), ref: 00408C2F
                                                                                                      • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT(00008000,00408B35,00409A4F,?,?,?,?,?,00000000,74DF0A60), ref: 00408ACD
                                                                                                      • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT(00000000,00008000,00408B35,00409A4F,?,?,?,?,?,00000000,74DF0A60), ref: 00408AEB
                                                                                                      • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408B35,00409A4F,?,?,?,?,?,00000000,74DF0A60), ref: 00408B09
                                                                                                      • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408B35,00409A4F,?,?,?,?,?,00000000,74DF0A60), ref: 00408B19
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
                                                                                                    • String ID: strings
                                                                                                    • API String ID: 4036804644-3030018805
                                                                                                    • Opcode ID: 0fd902f6738d83e31f1c70b21910d8c3d9af8e9046e4f58e96e5244c1996bb6b
                                                                                                    • Instruction ID: 2fb35d0cb8d6515d264437a76ba5de351b7eb647a908b3ccb3b2e5853623431c
                                                                                                    • Opcode Fuzzy Hash: 0fd902f6738d83e31f1c70b21910d8c3d9af8e9046e4f58e96e5244c1996bb6b
                                                                                                    • Instruction Fuzzy Hash: 9F3136B95003019FEB149B18EE40E323776EB59346B14443EF845A72B3DB39E815CB5C
                                                                                                    Function 0040F057 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                                                                                      • Part of subcall function 004045D6: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                                                                                      • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                                                                                      • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                      • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F123
                                                                                                    • strlen.MSVCRT ref: 0040F133
                                                                                                    • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F144
                                                                                                    • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F151
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                    • String ID: Passport.Net\*
                                                                                                    • API String ID: 2329438634-3671122194
                                                                                                    • Opcode ID: d448fd3e3bb25834377e5853a8114734348acb0949ae885f122676eae1665e6c
                                                                                                    • Instruction ID: b181dd8ad3303716fcb3fe51c6d72bcd9c0cca2a33dd7682b011125bf867cc1e
                                                                                                    • Opcode Fuzzy Hash: d448fd3e3bb25834377e5853a8114734348acb0949ae885f122676eae1665e6c
                                                                                                    • Instruction Fuzzy Hash: B5316D76900109EBDB20EF96DD45EAEB7B9EF85701F0000BAE604E7291D7389A05CB68
                                                                                                    Function 004032A9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00403158: strchr.MSVCRT ref: 0040326D
                                                                                                    • memset.MSVCRT ref: 004032FD
                                                                                                    • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403317
                                                                                                    • strchr.MSVCRT ref: 0040334C
                                                                                                      • Part of subcall function 004023D7: _mbsicmp.MSVCRT ref: 0040240F
                                                                                                    • strlen.MSVCRT ref: 0040338E
                                                                                                      • Part of subcall function 004023D7: _mbscmp.MSVCRT ref: 004023EB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                    • String ID: Personalities
                                                                                                    • API String ID: 2103853322-4287407858
                                                                                                    • Opcode ID: c990886822b6edcfe5cd482dd8fe88df10ef8dfff52afeedecb3c7aa37baf4c1
                                                                                                    • Instruction ID: 94df084552130989d7eb446100fdb0be3a34b05fea2c71b6ffce82199638926a
                                                                                                    • Opcode Fuzzy Hash: c990886822b6edcfe5cd482dd8fe88df10ef8dfff52afeedecb3c7aa37baf4c1
                                                                                                    • Instruction Fuzzy Hash: 5921BA71B04158AADB11EF65DC81ADDBB6C9F10309F1400BBFA44F7281DA78DB46866D
                                                                                                    Function 00443A35 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00443A57
                                                                                                      • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004107BA,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410424
                                                                                                      • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,004107E3,?,?,?,?,004107E3,00000000,?,?), ref: 0041046D
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00443AC3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpenQueryValuememset
                                                                                                    • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                    • API String ID: 1830152886-1703613266
                                                                                                    • Opcode ID: d1bbde70159df11e1f5551aa24047e9b9ea680b42b48fe813cb4a40a4d976f5d
                                                                                                    • Instruction ID: 86b235c3fd45d03c271013e996efd952a38f3d6ae4618920ee3f021b32bc4f63
                                                                                                    • Opcode Fuzzy Hash: d1bbde70159df11e1f5551aa24047e9b9ea680b42b48fe813cb4a40a4d976f5d
                                                                                                    • Instruction Fuzzy Hash: 500192B6900118BBEB10AA55CD01FAE7A6C9F90715F140076FF08F2212E379DF5587A9
                                                                                                    Function 00406B15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(?), ref: 00406B25
                                                                                                    • sprintf.MSVCRT ref: 00406B4D
                                                                                                    • MessageBoxA.USER32(00000000,?,Error,00000030), ref: 00406B66
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastMessagesprintf
                                                                                                    • String ID: Error$Error %d: %s
                                                                                                    • API String ID: 1670431679-1552265934
                                                                                                    • Opcode ID: 69570e8fca1396db75b798702dd88894c728b3c47429f38a677bbfbefaa49fd2
                                                                                                    • Instruction ID: c7de35334a9b91ea45d990eb2cc533a67ee34048a8af2c328f2cc0c5e5106846
                                                                                                    • Opcode Fuzzy Hash: 69570e8fca1396db75b798702dd88894c728b3c47429f38a677bbfbefaa49fd2
                                                                                                    • Instruction Fuzzy Hash: BBF0ECBA90010877DB11BB54DC05F9A77FCBB81304F1500B6FA45F2142EE74DA058F99
                                                                                                    Function 00410909 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,75C08FB0,00405E9E,00000000), ref: 00410912
                                                                                                    • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00410920
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00410938
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                                                    • API String ID: 145871493-1506664499
                                                                                                    • Opcode ID: f25734f4fc4b11147bd7f5e2528d9bf4594faa664b5814fe0a2756d8d7966d13
                                                                                                    • Instruction ID: 7569959bf229cfaf5f1ab8cb2858e1476927bfd88fe16924fdc565eaa6c9b3dd
                                                                                                    • Opcode Fuzzy Hash: f25734f4fc4b11147bd7f5e2528d9bf4594faa664b5814fe0a2756d8d7966d13
                                                                                                    • Instruction Fuzzy Hash: 15D05B797006107BFB215735BC08FEF6AE5DFC77527050035F950E1151CB648C42896A
                                                                                                    Function 0043D438 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 478COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0043D4CD
                                                                                                    • memset.MSVCRT ref: 0043D506
                                                                                                    • memcpy.MSVCRT(00000001,A9850F59,00000000,?,00000001,00000000), ref: 0043D781
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$memcpy
                                                                                                    • String ID: $no query solution
                                                                                                    • API String ID: 368790112-326442043
                                                                                                    • Opcode ID: d1b20270b8fca8508a10612e54657d8b0a662355ac249add9ed08d121aaec26c
                                                                                                    • Instruction ID: 5801c9734c6bd427e286c4e355069e6ae2e92931dd4aa2b8c604a71db9229eec
                                                                                                    • Opcode Fuzzy Hash: d1b20270b8fca8508a10612e54657d8b0a662355ac249add9ed08d121aaec26c
                                                                                                    • Instruction Fuzzy Hash: D012AC75D006199FCB24CF99D481AAEF7F1FF08314F14915EE899AB351E338A981CB98
                                                                                                    Function 0043000F Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 237COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • unknown column "%s" in foreign key definition, xrefs: 0043027A
                                                                                                    • foreign key on %s should reference only one column of table %T, xrefs: 0043005F
                                                                                                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430087
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                    • API String ID: 3510742995-272990098
                                                                                                    • Opcode ID: ba7cc926a2513b3f0d61d7686d9ea4b43c1dda64fb95451b7aee5590be9ae86f
                                                                                                    • Instruction ID: b65499b1f20d22348a3d217da3c858198d90c87fbf4aa33eef889ec12c855700
                                                                                                    • Opcode Fuzzy Hash: ba7cc926a2513b3f0d61d7686d9ea4b43c1dda64fb95451b7aee5590be9ae86f
                                                                                                    • Instruction Fuzzy Hash: BFA14C75A00209DFCB14CF99D590AAEBBF1FF48304F14869AE805AB312D779EE51CB94
                                                                                                    Function 0043CB52 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 214COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: H
                                                                                                    • API String ID: 2221118986-2852464175
                                                                                                    • Opcode ID: 82ed15864ef5b3a3dd0266e33bdbcb26a787e81eb1be7ca6d5995a5f4ce5c711
                                                                                                    • Instruction ID: 0231d824907604898156c72f74438a53b00a2a6e63cdef361d574d9feb60fc4e
                                                                                                    • Opcode Fuzzy Hash: 82ed15864ef5b3a3dd0266e33bdbcb26a787e81eb1be7ca6d5995a5f4ce5c711
                                                                                                    • Instruction Fuzzy Hash: 9D915775C00219DBDF20CF95C881AAEF7B5FF48304F14949AE959BB241E334AA85CFA5
                                                                                                    Function 0041D3D8 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 175COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00413185: memcpy.MSVCRT(?,00416F96,00000004,?,?,00416F96,?,?,00417075,?,?,?,?), ref: 00413192
                                                                                                    • memcmp.MSVCRT(?,?,00000004,00000000,?,?,0041D6DC,?,?,?,?,0043564D), ref: 0041D435
                                                                                                    • memcmp.MSVCRT(?,SQLite format 3,00000010,00000000,?,?,0041D6DC,?,?,?), ref: 0041D462
                                                                                                    • memcmp.MSVCRT(?,@ ,00000003,?,?,?,00000000,?,?,0041D6DC,?,?,?), ref: 0041D4CE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmp$memcpy
                                                                                                    • String ID: @ $SQLite format 3
                                                                                                    • API String ID: 231171946-3708268960
                                                                                                    • Opcode ID: 5952f075a97c97ad06d3c6058b6006b849409e8323ae21947051dcee29b786b4
                                                                                                    • Instruction ID: 154dd893183b882ddc8616fc7eef56b16fb129afe1b119523047def7d92feb70
                                                                                                    • Opcode Fuzzy Hash: 5952f075a97c97ad06d3c6058b6006b849409e8323ae21947051dcee29b786b4
                                                                                                    • Instruction Fuzzy Hash: C451B1B1E00604AFDB20DF69C881BDAB7F5AF54308F14056FD44597741E778EA84CBA9
                                                                                                    Function 00424D44 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 173COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(00004000,00004000,?), ref: 00424E4D
                                                                                                    • memcpy.MSVCRT(?,00004000,?), ref: 00424E68
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                    • API String ID: 3510742995-3170954634
                                                                                                    • Opcode ID: d7603b0dda69ecf518d4b766e7e4f504cd7a7b4266dab8eccfe297bae9d2bc32
                                                                                                    • Instruction ID: 0d7bce0817bf65c9dfa0535c92c7df176da35528cc665cc261d5cec065e4eab6
                                                                                                    • Opcode Fuzzy Hash: d7603b0dda69ecf518d4b766e7e4f504cd7a7b4266dab8eccfe297bae9d2bc32
                                                                                                    • Instruction Fuzzy Hash: 4361C031A046259FDB14DFA4D480BAEBBF1FF48304F55849AE904AB392D738ED51CB98
                                                                                                    Function 00413F5C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memset
                                                                                                    • String ID: winWrite1$winWrite2
                                                                                                    • API String ID: 438689982-3457389245
                                                                                                    • Opcode ID: 0d7f83051426e72d393f7901bd0e4f2f845d9ffb714df67e86fd0046f80122d9
                                                                                                    • Instruction ID: 411cc920c71d47ae3c136763a4be7e00f30539a89a3c59ace8e577baf045dca9
                                                                                                    • Opcode Fuzzy Hash: 0d7f83051426e72d393f7901bd0e4f2f845d9ffb714df67e86fd0046f80122d9
                                                                                                    • Instruction Fuzzy Hash: F9417F72A00209EBDF00CF95CC41ADE7BB5FF48315F14452AF614A7280D778DAA5CB99
                                                                                                    Function 00413E34 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset
                                                                                                    • String ID: winRead
                                                                                                    • API String ID: 1297977491-2759563040
                                                                                                    • Opcode ID: ffe010aae32d2fe9b2a966a78d406535a1fbcfae657499b63a226c622339ee24
                                                                                                    • Instruction ID: 3967e01906e40ec71704122980e40950556eef8199585a058b54f4718b0c424a
                                                                                                    • Opcode Fuzzy Hash: ffe010aae32d2fe9b2a966a78d406535a1fbcfae657499b63a226c622339ee24
                                                                                                    • Instruction Fuzzy Hash: 46318B72A00309ABDF10DE69CC86ADE7B69AF84315F14446AF904A7241D734DAA48B99
                                                                                                    Function 0040A8C2 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                      • Part of subcall function 00406AD1: WriteFile.KERNEL32(00445BB0,00000001,00000000,74DF0A60,00000000,?,?,0040A51A,00000001,00445BB0,74DF0A60), ref: 00406AEB
                                                                                                    • memset.MSVCRT ref: 0040A8F8
                                                                                                      • Part of subcall function 0041096F: memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040A919,?,?), ref: 004109DD
                                                                                                      • Part of subcall function 0040A245: _mbscpy.MSVCRT(00000000,?,0040A92E,?,?,?), ref: 0040A24A
                                                                                                      • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                                                                                    • sprintf.MSVCRT ref: 0040A93D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                    • API String ID: 3337535707-2769808009
                                                                                                    • Opcode ID: 31757f8979cddf39406a0cbb2acc4d26fcc953cd1ca43e99caf56cb426078b12
                                                                                                    • Instruction ID: b3463478cabe4832a9b1b799bbf2f925c18d395200ae258af25e9b21d14a16f2
                                                                                                    • Opcode Fuzzy Hash: 31757f8979cddf39406a0cbb2acc4d26fcc953cd1ca43e99caf56cb426078b12
                                                                                                    • Instruction Fuzzy Hash: 3611BF31600225BFEB11AF64CC42F957B64FF04318F10406AF509265A2DB7ABD70DB89
                                                                                                    Function 0040717E Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscat$memsetsprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 125969286-0
                                                                                                    • Opcode ID: a00bc7a69bfa5b24137ebda2387133b60ae603cd0d1480a18cca94b34f68fdeb
                                                                                                    • Instruction ID: 1eb43bd5b8120d09ab0b11fdee56c07fa856cfecb869048c22175c4298d2535e
                                                                                                    • Opcode Fuzzy Hash: a00bc7a69bfa5b24137ebda2387133b60ae603cd0d1480a18cca94b34f68fdeb
                                                                                                    • Instruction Fuzzy Hash: EF014C32D0826436F72156159C03BBB77A89B85704F10407FFD44A92C1EEBCE984479A
                                                                                                    Function 00408E21 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetParent.USER32(?), ref: 00408E33
                                                                                                    • GetWindowRect.USER32(?,?), ref: 00408E40
                                                                                                    • GetClientRect.USER32(00000000,?), ref: 00408E4B
                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00408E5B
                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00408E77
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                                                    • String ID:
                                                                                                    • API String ID: 4247780290-0
                                                                                                    • Opcode ID: 06bcd35f29f4ad8b1f8be6fafa23155ea8198cc34ea2cee51d518efb77a86cea
                                                                                                    • Instruction ID: d5d25afb3259b03ed1d628add5c616d0d22dc24c96253af88726d5856d44a725
                                                                                                    • Opcode Fuzzy Hash: 06bcd35f29f4ad8b1f8be6fafa23155ea8198cc34ea2cee51d518efb77a86cea
                                                                                                    • Instruction Fuzzy Hash: 0E01653680052ABBDB11ABA59C49EFFBFBCFF06750F04402AFD05A2181D77895018BA5
                                                                                                    Function 0040B6EF Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B70C
                                                                                                      • Part of subcall function 00406A00: LoadCursorA.USER32(00000000,00007F02), ref: 00406A07
                                                                                                      • Part of subcall function 00406A00: SetCursor.USER32(00000000,?,0040CD7F), ref: 00406A0E
                                                                                                    • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B72F
                                                                                                      • Part of subcall function 0040B65E: sprintf.MSVCRT ref: 0040B684
                                                                                                      • Part of subcall function 0040B65E: sprintf.MSVCRT ref: 0040B6AE
                                                                                                      • Part of subcall function 0040B65E: _mbscat.MSVCRT ref: 0040B6C1
                                                                                                      • Part of subcall function 0040B65E: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B6E7
                                                                                                    • SetCursor.USER32(?,?,0040C8F2), ref: 0040B754
                                                                                                    • SetFocus.USER32(?,?,?,0040C8F2), ref: 0040B766
                                                                                                    • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040B77D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                                                                    • String ID:
                                                                                                    • API String ID: 2374668499-0
                                                                                                    • Opcode ID: e5fdebf6aea7ad79a1181b46484e7d135d6e0b8dd68e8070af22c6d2a4140318
                                                                                                    • Instruction ID: 612281c0e7bcc4a6d3b4da52a7b96f70e992a4283d6ab6b50bd9db3d0aad170a
                                                                                                    • Opcode Fuzzy Hash: e5fdebf6aea7ad79a1181b46484e7d135d6e0b8dd68e8070af22c6d2a4140318
                                                                                                    • Instruction Fuzzy Hash: 120129B5200A00EFD726AB75CC85FA6B7E9FF48315F0604B9F1199B272CA726D018F14
                                                                                                    Function 0040AA94 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040AAB7
                                                                                                    • memset.MSVCRT ref: 0040AACD
                                                                                                      • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                      • Part of subcall function 00406AD1: WriteFile.KERNEL32(00445BB0,00000001,00000000,74DF0A60,00000000,?,?,0040A51A,00000001,00445BB0,74DF0A60), ref: 00406AEB
                                                                                                      • Part of subcall function 0040A245: _mbscpy.MSVCRT(00000000,?,0040A92E,?,?,?), ref: 0040A24A
                                                                                                      • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                                                                                    • sprintf.MSVCRT ref: 0040AB04
                                                                                                    Strings
                                                                                                    • <%s>, xrefs: 0040AAFE
                                                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AAD2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                    • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                    • API String ID: 3699762281-1998499579
                                                                                                    • Opcode ID: f1b9a36ea3eb66300483205a941b9b9ef037eb970108d302c91ca7b90677dca7
                                                                                                    • Instruction ID: a3dff73391336119dc4caae329f843e57b3ce466119e41e431a2bb454e721b3a
                                                                                                    • Opcode Fuzzy Hash: f1b9a36ea3eb66300483205a941b9b9ef037eb970108d302c91ca7b90677dca7
                                                                                                    • Instruction Fuzzy Hash: ED01F7729401296AEB20B655CC45FDA7A6CAF45305F0400BAB509B2182DBB49E548BA5
                                                                                                    Function 0040979F Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409999,?,?,00000000,74DF0A60,?,00000000), ref: 004097AB
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409999,?,?,00000000,74DF0A60,?,00000000), ref: 004097B9
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409999,?,?,00000000,74DF0A60,?,00000000), ref: 004097CA
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409999,?,?,00000000,74DF0A60,?,00000000), ref: 004097E1
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409999,?,?,00000000,74DF0A60,?,00000000), ref: 004097EA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@
                                                                                                    • String ID:
                                                                                                    • API String ID: 613200358-0
                                                                                                    • Opcode ID: f6a7cb9cab936f08d15dd8d23444ed7b17806203963db2ce2ba1a06719781879
                                                                                                    • Instruction ID: ea629a9aafeff6281071dae141f51b3a8c797cef86d835f03ce988520f4efe7f
                                                                                                    • Opcode Fuzzy Hash: f6a7cb9cab936f08d15dd8d23444ed7b17806203963db2ce2ba1a06719781879
                                                                                                    • Instruction Fuzzy Hash: 94F0FF73609B01DBD7209FA99AC065BF7E9AB48724BA4093FF149D3642C738BC54C618
                                                                                                    Function 00409805 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409999,?,?,00000000,74DF0A60,?,00000000), ref: 004097AB
                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409999,?,?,00000000,74DF0A60,?,00000000), ref: 004097B9
                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409999,?,?,00000000,74DF0A60,?,00000000), ref: 004097CA
                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409999,?,?,00000000,74DF0A60,?,00000000), ref: 004097E1
                                                                                                      • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409999,?,?,00000000,74DF0A60,?,00000000), ref: 004097EA
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,004041D3), ref: 00409820
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,004041D3), ref: 00409833
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,004041D3), ref: 00409846
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,004041D3), ref: 00409859
                                                                                                    • free.MSVCRT ref: 0040986D
                                                                                                      • Part of subcall function 004077E4: free.MSVCRT ref: 004077EB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@$free
                                                                                                    • String ID:
                                                                                                    • API String ID: 2241099983-0
                                                                                                    • Opcode ID: e56b6e82d1360767911dfe4b818cb14d758b36c0f5984e33af1d2cfc91de887a
                                                                                                    • Instruction ID: 7a7d368fa20b86f0ae4ccc19201ff918d3b0396c1b4e5cf9e7c68f971a3fafa8
                                                                                                    • Opcode Fuzzy Hash: e56b6e82d1360767911dfe4b818cb14d758b36c0f5984e33af1d2cfc91de887a
                                                                                                    • Instruction Fuzzy Hash: 29F03633D1A930D7C6257B66500164EE3686E86B3931942AFF9047B7D28F3C7C5485DE
                                                                                                    Function 004100EC Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406EA5: memset.MSVCRT ref: 00406EC5
                                                                                                      • Part of subcall function 00406EA5: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406ED8
                                                                                                      • Part of subcall function 00406EA5: _strcmpi.MSVCRT ref: 00406EEA
                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00410113
                                                                                                    • GetSysColor.USER32(00000005), ref: 0041011B
                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 00410125
                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 00410133
                                                                                                    • GetSysColorBrush.USER32(00000005), ref: 0041013B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2775283111-0
                                                                                                    • Opcode ID: 627087e029a1abcb04561e415bb5884c82ccbbb1204662b743e4c0e852913d63
                                                                                                    • Instruction ID: 15b5804eddbfc7b45e8a586a0394ac07707e7803bdc14c23b44bbc646b24dc1f
                                                                                                    • Opcode Fuzzy Hash: 627087e029a1abcb04561e415bb5884c82ccbbb1204662b743e4c0e852913d63
                                                                                                    • Instruction Fuzzy Hash: 7DF0F935100508BBDF116FA5DC09EDE3B25FF05711F10813AFA15585B1CBFAD9A09B58
                                                                                                    Function 00405F2B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • BeginDeferWindowPos.USER32(0000000A), ref: 00405F44
                                                                                                      • Part of subcall function 004015F3: GetDlgItem.USER32(?,?), ref: 00401603
                                                                                                      • Part of subcall function 004015F3: GetClientRect.USER32(?,?), ref: 00401615
                                                                                                      • Part of subcall function 004015F3: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 0040167F
                                                                                                    • EndDeferWindowPos.USER32(?), ref: 00406003
                                                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 0040600E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                    • String ID: $
                                                                                                    • API String ID: 2498372239-3993045852
                                                                                                    • Opcode ID: 4f29eeeafaf0275d54e1a8ac864168a2c968bf72d4383311267dcf3585429308
                                                                                                    • Instruction ID: 00843a31076853278f863d8e49a3b1dedc6e53575b175ed212c8a3462f8966d2
                                                                                                    • Opcode Fuzzy Hash: 4f29eeeafaf0275d54e1a8ac864168a2c968bf72d4383311267dcf3585429308
                                                                                                    • Instruction Fuzzy Hash: 4D318F70640259BFEF229B52DC89D6F3A7CFBC5B88F10006DF401792A1CA794F51EA69
                                                                                                    Function 004140D3 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414105
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                    • String ID: winSeekFile$winTruncate1$winTruncate2
                                                                                                    • API String ID: 885266447-2471937615
                                                                                                    • Opcode ID: 2e15f3014d93f2bb9130e9841e4fb77219e446d9f82deb2689d2d98ee362e802
                                                                                                    • Instruction ID: 64d4eb81a265c1b05a2fdfc4674ac580571b80d59954343c28d6466173863d6d
                                                                                                    • Opcode Fuzzy Hash: 2e15f3014d93f2bb9130e9841e4fb77219e446d9f82deb2689d2d98ee362e802
                                                                                                    • Instruction Fuzzy Hash: 0331E1B1240700BFE7209F65CC49AA7B7E9FB94714F144A2EF951836C1E738EC948B69
                                                                                                    Function 00406868 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,C@,004069F3,00000000,?,?,00000000), ref: 0040688C
                                                                                                    • CloseHandle.KERNEL32(?), ref: 004068B2
                                                                                                      • Part of subcall function 00407691: ??3@YAXPAX@Z.MSVCRT(00000000,004068A1), ref: 00407698
                                                                                                      • Part of subcall function 00407691: ??2@YAPAXI@Z.MSVCRT(00000000,004068A1), ref: 004076A6
                                                                                                      • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$??2@??3@CloseCreateHandleReadSize
                                                                                                    • String ID: C@$key3.db
                                                                                                    • API String ID: 1968906679-1993167907
                                                                                                    • Opcode ID: 8070846350ac793f35cf726ef4b9da8142e130784681131c85812774ce581970
                                                                                                    • Instruction ID: 0ede60c3f523747ec885d841e26685764e9001b1461c3323211a21065397dc39
                                                                                                    • Opcode Fuzzy Hash: 8070846350ac793f35cf726ef4b9da8142e130784681131c85812774ce581970
                                                                                                    • Instruction Fuzzy Hash: 9811D3B2D00514AFDB10AF19CC4588E7BA5EF46360B12807BF80AAB291DB34DD60CB98
                                                                                                    Function 00407F93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,004107BA,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410424
                                                                                                    • memset.MSVCRT ref: 00407FCE
                                                                                                      • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 0040801C
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00408039
                                                                                                    Strings
                                                                                                    • Software\Google\Google Desktop\Mailboxes, xrefs: 00407FA6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Close$EnumOpenmemset
                                                                                                    • String ID: Software\Google\Google Desktop\Mailboxes
                                                                                                    • API String ID: 2255314230-2212045309
                                                                                                    • Opcode ID: 52c7bc703e6ba9b9d39818dc86bb6e47c13d5a8dcda88a8d35cea931a76e3309
                                                                                                    • Instruction ID: ef1d8a4e040050e039b627d4d2b4e2291b822c72ed16119247eb6dd3c2076bbf
                                                                                                    • Opcode Fuzzy Hash: 52c7bc703e6ba9b9d39818dc86bb6e47c13d5a8dcda88a8d35cea931a76e3309
                                                                                                    • Instruction Fuzzy Hash: 4A118F72408245BBD710EE51DC41EABBBACEBD0314F00083EBE9491191EB759A58D7A7
                                                                                                    Function 0040BFC7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040BFE7
                                                                                                    • SetFocus.USER32(?,?), ref: 0040C06F
                                                                                                      • Part of subcall function 0040BFB1: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040BFC0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FocusMessagePostmemset
                                                                                                    • String ID: +_@$l
                                                                                                    • API String ID: 3436799508-640399337
                                                                                                    • Opcode ID: 80ae47529afeeb98c40f96b09bb6cd899cfc801561690088eeaebdcdc364165d
                                                                                                    • Instruction ID: dfa99e5f235914639cafa3f1faff2c73f9381d0964b1719e4b49f1177e3774cc
                                                                                                    • Opcode Fuzzy Hash: 80ae47529afeeb98c40f96b09bb6cd899cfc801561690088eeaebdcdc364165d
                                                                                                    • Instruction Fuzzy Hash: B411A172904198CBDF209B24CC44BCA7BB9AF90304F0900F5A94C7B2D2C7B55E89CFA9
                                                                                                    Function 00409669 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00409682
                                                                                                    • SendMessageA.USER32(?,00001019,00000000,?), ref: 004096B0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSendmemset
                                                                                                    • String ID: "$lD
                                                                                                    • API String ID: 568519121-3281613384
                                                                                                    • Opcode ID: ed9ccc659ae768bed3af4396a7a2ef6749329ac2da06921e4e8f3b6130e41676
                                                                                                    • Instruction ID: d98da3e135da4b1536afdd38015dbf476e5e9df788621b23f2aabad48e216af8
                                                                                                    • Opcode Fuzzy Hash: ed9ccc659ae768bed3af4396a7a2ef6749329ac2da06921e4e8f3b6130e41676
                                                                                                    • Instruction Fuzzy Hash: F901D679810204EBDB209F85C881EBBB7F8FF84745F10482AE840A6291D3359D95CB79
                                                                                                    Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406D65: memset.MSVCRT ref: 00406D6F
                                                                                                      • Part of subcall function 00406D65: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406E3D,Arial,0000000E,00000000), ref: 00406DAF
                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                    • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                    • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                    • String ID: MS Sans Serif
                                                                                                    • API String ID: 3492281209-168460110
                                                                                                    • Opcode ID: 52dc321bffbe8d9edfbbd6a187ed283ebc7fee85da995f87e7fe45cbab2b246e
                                                                                                    • Instruction ID: 91d7546927304a6081eb6d9f577e17eac68e9825403057b28fc40c6b5cfff950
                                                                                                    • Opcode Fuzzy Hash: 52dc321bffbe8d9edfbbd6a187ed283ebc7fee85da995f87e7fe45cbab2b246e
                                                                                                    • Instruction Fuzzy Hash: 54F0A775A407047BEB3267A0EC47F4A7BACAB41B41F104535F651B51F2D6F4B544CB48
                                                                                                    Function 00406EA5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassName_strcmpimemset
                                                                                                    • String ID: edit
                                                                                                    • API String ID: 275601554-2167791130
                                                                                                    • Opcode ID: 5afe02c50ff8787005bc22e72224c46649f7fc71878b60a9ecbad1c5cb2a62e5
                                                                                                    • Instruction ID: 847e1e856ca93c5331a43762777f09d1dcd0b535ae5450603ebfd434222f9f24
                                                                                                    • Opcode Fuzzy Hash: 5afe02c50ff8787005bc22e72224c46649f7fc71878b60a9ecbad1c5cb2a62e5
                                                                                                    • Instruction Fuzzy Hash: A3E09B73C5412E7AEB21B6A4DC01FE6776CEF55705F0000F7B945E10C1E5B45A888B95
                                                                                                    Function 0040732D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: strlen$_mbscat
                                                                                                    • String ID: 8D
                                                                                                    • API String ID: 3951308622-2703402624
                                                                                                    • Opcode ID: 0d4b8226fbd496cbfb2f65cef8605315bd67d0e3db655489d156a20edcf200cd
                                                                                                    • Instruction ID: fdb3abcae466a204d6f595596d606a7769775cd3d87c53e6d0f7ff6b17e0c5bf
                                                                                                    • Opcode Fuzzy Hash: 0d4b8226fbd496cbfb2f65cef8605315bd67d0e3db655489d156a20edcf200cd
                                                                                                    • Instruction Fuzzy Hash: F7D0A73390D62027F6153617BC07D8E5BD1CFD0779B18041FF908D2181DD3E8495909D
                                                                                                    Function 00443131 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscat$_mbscpy
                                                                                                    • String ID: Password2
                                                                                                    • API String ID: 2600922555-1856559283
                                                                                                    • Opcode ID: 125e7d14fb5ca2ce57f65db2f514a3b406a0f280798a99ea75b84c206dc306df
                                                                                                    • Instruction ID: 284e3ed20e01ed0f985c27cc48ee8d5f57cf04e2e68a318951e5723102309710
                                                                                                    • Opcode Fuzzy Hash: 125e7d14fb5ca2ce57f65db2f514a3b406a0f280798a99ea75b84c206dc306df
                                                                                                    • Instruction Fuzzy Hash: DFC0126164253032351132152C02ECE5D444D927A9744405BF64871152DE4C092141EE
                                                                                                    Function 0041067E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(shell32.dll,0040CC91,74DF0A60,?,00000000), ref: 0041068C
                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004106A1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                    • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                                                    • API String ID: 2574300362-543337301
                                                                                                    • Opcode ID: 2e6b26bb17626f4397607e962d7e33e0088331342153929cca1aec3e07a9d3dc
                                                                                                    • Instruction ID: 89c53fa068d5e839e9f7b52beb2d5746c1b59f0700db89f23453b1bd6c0da6b7
                                                                                                    • Opcode Fuzzy Hash: 2e6b26bb17626f4397607e962d7e33e0088331342153929cca1aec3e07a9d3dc
                                                                                                    • Instruction Fuzzy Hash: 31D09EB8A00349EFDB00AF21EC0874639946785756B104436A04591267E6B88091CE5D
                                                                                                    Function 00431CB5 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 469COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: rows deleted
                                                                                                    • API String ID: 2221118986-571615504
                                                                                                    • Opcode ID: 4c9dbc2b612ed9edf76401e4d6c70ac1deb0b9b48bbb52d81c4a8b84a7a8b6c2
                                                                                                    • Instruction ID: 2c87624536f7d1d2c67b3f30ed48d8bcf82a012ac595ca9270874480dc5e5985
                                                                                                    • Opcode Fuzzy Hash: 4c9dbc2b612ed9edf76401e4d6c70ac1deb0b9b48bbb52d81c4a8b84a7a8b6c2
                                                                                                    • Instruction Fuzzy Hash: 47028F71E00218AFDF14DF99DD81AAEBBB5EF08314F14005AFA04A7352E775AD41CB99
                                                                                                    Function 0041B58C Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041B59F
                                                                                                    • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041B5B5
                                                                                                    • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041B5C4
                                                                                                    • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041B60C
                                                                                                    • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041B627
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memcmp
                                                                                                    • String ID:
                                                                                                    • API String ID: 3384217055-0
                                                                                                    • Opcode ID: e3acc2376955a3743a68dcdfb4fb7f0e30d5fba998ed12fb16b657197a27482f
                                                                                                    • Instruction ID: 3ed27bb9f02c74045d0acb38b61796dbe98832ce2e8f1163f6a46f85a071a1b4
                                                                                                    • Opcode Fuzzy Hash: e3acc2376955a3743a68dcdfb4fb7f0e30d5fba998ed12fb16b657197a27482f
                                                                                                    • Instruction Fuzzy Hash: C62181B2E106486BDB14DBA5D846EDF73ECEB94704F04082AB511D7241EB38E644C765
                                                                                                    Function 00442878 Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00407142: memset.MSVCRT ref: 00407150
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044358C,?,004436E8,?,00000000), ref: 0044288D
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044358C,?,004436E8,?,00000000), ref: 004428AB
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044358C,?,004436E8,?,00000000), ref: 004428C6
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044358C,?,004436E8,?,00000000), ref: 004428EF
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044358C,?,004436E8,?,00000000), ref: 00442913
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 1860491036-0
                                                                                                    • Opcode ID: a49a10f93e26b9407b952f98d59f779e94145c9d7b45c152933313ae930d57e1
                                                                                                    • Instruction ID: ce7ce7a56e3d2054f407bfc67449f4b5e2a26b1e03fcf19820fefdebefcb5e48
                                                                                                    • Opcode Fuzzy Hash: a49a10f93e26b9407b952f98d59f779e94145c9d7b45c152933313ae930d57e1
                                                                                                    • Instruction Fuzzy Hash: D3312BF4A007008FE7509F7A8945626FBE4FF84315F65886FE259CB2A2D7B9D440CB29
                                                                                                    Function 00404883 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004048BD
                                                                                                    • memset.MSVCRT ref: 004048D1
                                                                                                    • memset.MSVCRT ref: 004048E5
                                                                                                    • memcpy.MSVCRT(?,00406546,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048F7
                                                                                                    • memcpy.MSVCRT(?,00406546,?,?,00406546,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 00404909
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$memcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 368790112-0
                                                                                                    • Opcode ID: a75b1e0acb0f5019c960ead13ae6bdef512e97a5dc6b2f82c9c12f4a65331388
                                                                                                    • Instruction ID: 580d5568a0ae36357fe55cd2f8a92ca16a000ad3cc3fb0fce8e347f768f52ea1
                                                                                                    • Opcode Fuzzy Hash: a75b1e0acb0f5019c960ead13ae6bdef512e97a5dc6b2f82c9c12f4a65331388
                                                                                                    • Instruction Fuzzy Hash: B02160B690115DABDF21EEA8CD40EDF7BADAF88304F0044AAB718E3052D2349F548B64
                                                                                                    Function 0040CFC5 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040CFE4
                                                                                                    • memset.MSVCRT ref: 0040CFFA
                                                                                                    • memset.MSVCRT ref: 0040D00C
                                                                                                    • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040380C,00000000), ref: 0040D031
                                                                                                    • memset.MSVCRT ref: 0040D03B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$memcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 368790112-0
                                                                                                    • Opcode ID: c734dfea12c93efd70da344448ab0c1d4400440b23c7d083a28a0ad16e48a0bf
                                                                                                    • Instruction ID: 593c26daf5a8157ef64f6677eb97e14ee4fb597551c84e1e3d2c0423d94ab2b3
                                                                                                    • Opcode Fuzzy Hash: c734dfea12c93efd70da344448ab0c1d4400440b23c7d083a28a0ad16e48a0bf
                                                                                                    • Instruction Fuzzy Hash: DE01FCB5A40B0077E235AA35CC03F1A73A4AFD1718F000B1EF252666D2E7BCE509856D
                                                                                                    Function 0041546A Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 211COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: +MA$psow$winOpen
                                                                                                    • API String ID: 2221118986-3077801942
                                                                                                    • Opcode ID: 6374b3f40517461fab9b1732b79d6ecb0a63dddf6689f58e7f4b53c344f2d528
                                                                                                    • Instruction ID: 627c4099ad4ed317c867b58951a0fc316b0cffc8f2319acf44b2ebd0553f51b9
                                                                                                    • Opcode Fuzzy Hash: 6374b3f40517461fab9b1732b79d6ecb0a63dddf6689f58e7f4b53c344f2d528
                                                                                                    • Instruction Fuzzy Hash: DE718D72D00605EBDF10DFA9DC426DEBBB2AF44314F14412BF915AB291D7788D908B98
                                                                                                    Function 00424EAC Relevance: 6.2, APIs: 4, Instructions: 179COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __allrem.LIBCMT ref: 00424F52
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00424F87
                                                                                                    • __allrem.LIBCMT ref: 00425035
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042507D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                    • String ID:
                                                                                                    • API String ID: 1992179935-0
                                                                                                    • Opcode ID: 560e0d92d15042a7d60853a487a4d693223dca75a8103b8e7d816dd0a212d02a
                                                                                                    • Instruction ID: db9e41318fbfcada45bb9adf36b3998ede89feacb8141746dd807fa43e705e13
                                                                                                    • Opcode Fuzzy Hash: 560e0d92d15042a7d60853a487a4d693223dca75a8103b8e7d816dd0a212d02a
                                                                                                    • Instruction Fuzzy Hash: 65618F71E006299FCF14CFA4ED40AAEBBB1FF84314F69415AE508AB391DB399D41CB58
                                                                                                    Function 0042BB86 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 164COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • too many SQL variables, xrefs: 0042BD54
                                                                                                    • variable number must be between ?1 and ?%d, xrefs: 0042BC19
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                    • API String ID: 2221118986-515162456
                                                                                                    • Opcode ID: 6b88ecb26755f537598d44b059ba5a346278a106570852c9337f2aed9016ab7b
                                                                                                    • Instruction ID: 0d9164a1fdbde5ca3cdd745d30cfe3dc8f536e44641e3c26b790e655cd3eaffd
                                                                                                    • Opcode Fuzzy Hash: 6b88ecb26755f537598d44b059ba5a346278a106570852c9337f2aed9016ab7b
                                                                                                    • Instruction Fuzzy Hash: 71519D31B00525EFEB19DF69D481BEAB7A0FF08304F90016BE815AB251DB79AD51CBC8
                                                                                                    Function 0042F55D Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 143COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(00000000,?,00000000), ref: 0042F6A9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: $, $CREATE TABLE
                                                                                                    • API String ID: 3510742995-3459038510
                                                                                                    • Opcode ID: 24e9d051a89d5ebfc294a89d8b696b7cb09e4cb3b50fd414110b2fd0402450e3
                                                                                                    • Instruction ID: 4a0871beed9f250e2dacaf6662beca46c80fe0be2f5bbb48e716de4f7c2f6e71
                                                                                                    • Opcode Fuzzy Hash: 24e9d051a89d5ebfc294a89d8b696b7cb09e4cb3b50fd414110b2fd0402450e3
                                                                                                    • Instruction Fuzzy Hash: BE51B471E00129AFDF10DF94D4815AFB7F5EF45319FA0806BE401EB202E778DA898B99
                                                                                                    Function 00402616 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026D6
                                                                                                    • memset.MSVCRT ref: 0040269F
                                                                                                      • Part of subcall function 0041025A: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410277
                                                                                                      • Part of subcall function 0041025A: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410298
                                                                                                      • Part of subcall function 0041025A: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 004102D6
                                                                                                      • Part of subcall function 0041025A: CoTaskMemFree.COMBASE(00000000), ref: 004102E5
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040278E
                                                                                                    • LocalFree.KERNEL32(?), ref: 00402798
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 3503910906-0
                                                                                                    • Opcode ID: 16627343bce6d9ca029ba30bb800e57eeae299e547cd663597d7650a0685579b
                                                                                                    • Instruction ID: a31c39db536bf59591fe237cfeb45fd52263bcc442a3b4586f9b541b98436b80
                                                                                                    • Opcode Fuzzy Hash: 16627343bce6d9ca029ba30bb800e57eeae299e547cd663597d7650a0685579b
                                                                                                    • Instruction Fuzzy Hash: 0741C2B1408394AFEB21CF60CD85AAB77DCAB49304F04493FF588A21D1D6B9DA44CB5A
                                                                                                    Function 0040C5D8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040C642
                                                                                                    • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C686
                                                                                                    • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C6A0
                                                                                                    • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040C743
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$MenuPostSendStringmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 3798638045-0
                                                                                                    • Opcode ID: 5d3faed44ea898e8e23d61f3db23705dd0554933dd7cb264d30f90e1c753db93
                                                                                                    • Instruction ID: caf6f60f32b19a677c26e4d16bf675fa64e013cae5d841084b333b07d52aaaaa
                                                                                                    • Opcode Fuzzy Hash: 5d3faed44ea898e8e23d61f3db23705dd0554933dd7cb264d30f90e1c753db93
                                                                                                    • Instruction Fuzzy Hash: 6C41C131500216EBCB35CF24C8C5A96BBA4BF05321F1447B6E958AB2D2C7B99D91CFD8
                                                                                                    Function 0040B340 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00409B5A: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000), ref: 00409B7B
                                                                                                      • Part of subcall function 00409B5A: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 00409C42
                                                                                                    • strlen.MSVCRT ref: 0040B366
                                                                                                    • atoi.MSVCRT(?,00000000,?,74DF0A60,?,00000000), ref: 0040B374
                                                                                                    • _mbsicmp.MSVCRT ref: 0040B3C7
                                                                                                    • _mbsicmp.MSVCRT ref: 0040B3DA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 4107816708-0
                                                                                                    • Opcode ID: 50902c72e53fe8595ed8da47588c32d88404b38a68d67d16a4cd5963c10557fb
                                                                                                    • Instruction ID: f56b49caca625ffb6a8305ca332e6707e3f7b6555e2304d22037ac8df505f121
                                                                                                    • Opcode Fuzzy Hash: 50902c72e53fe8595ed8da47588c32d88404b38a68d67d16a4cd5963c10557fb
                                                                                                    • Instruction Fuzzy Hash: CC412A75900204EBDB10DF69C581A9DBBF4FB48308F2185BAEC55AB397D738DA41CB98
                                                                                                    Function 00410D1D Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00410D7C
                                                                                                    • _gmtime64.MSVCRT ref: 00410DA5
                                                                                                    • memcpy.MSVCRT(?,00000000,00000024,?,?,000003E8,00000000), ref: 00410DB9
                                                                                                    • strftime.MSVCRT ref: 00410DE4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                                                                                    • String ID:
                                                                                                    • API String ID: 1886415126-0
                                                                                                    • Opcode ID: 42ebb8c1e295c4f998c750dd4381f5a90e4aefd148bac4d8b35948d96f151cd4
                                                                                                    • Instruction ID: e7bf39f2df778c647ef491fd25a44dd6e6c3fbccc626bed7fedf127605a46aa4
                                                                                                    • Opcode Fuzzy Hash: 42ebb8c1e295c4f998c750dd4381f5a90e4aefd148bac4d8b35948d96f151cd4
                                                                                                    • Instruction Fuzzy Hash: 8B21F3729003156BD310EF65D846B9BB7E8AF48324F044A1FFA98D7281DB78E9848BD5
                                                                                                    Function 00443946 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: strlen
                                                                                                    • String ID: >$>$>
                                                                                                    • API String ID: 39653677-3911187716
                                                                                                    • Opcode ID: 7d20a18d7a2fffdac5ba5617d09767eef89d9f83b9fad879c3f6283c88f33b8e
                                                                                                    • Instruction ID: c4e2884265c3a68fdd0446f239628287b972743a9c94721f5bed41ec85a51522
                                                                                                    • Opcode Fuzzy Hash: 7d20a18d7a2fffdac5ba5617d09767eef89d9f83b9fad879c3f6283c88f33b8e
                                                                                                    • Instruction Fuzzy Hash: 2A313A5184D2C49EFB119F6880457EEFFB14F22706F1886DAC0D167383C2AC9B4AD75A
                                                                                                    Function 0040CF27 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00443EE6,?,?,?,00000008,?,00000000,00000000), ref: 0040CF6A
                                                                                                    • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00443EE6,?,?,?,00000008,?,00000000,00000000), ref: 0040CF94
                                                                                                    • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00443EE6,?,?,?,00000008,?,00000000,00000000), ref: 0040CFB8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: @
                                                                                                    • API String ID: 3510742995-2766056989
                                                                                                    • Opcode ID: 06b8a3ec594aaba049a721ed4dda8e3acd4ed37df7d7103eefb9391fa1074ca8
                                                                                                    • Instruction ID: c67b832eded58a7fed5fb718e1005b1d96f95c91eedcc3159726feab918c483c
                                                                                                    • Opcode Fuzzy Hash: 06b8a3ec594aaba049a721ed4dda8e3acd4ed37df7d7103eefb9391fa1074ca8
                                                                                                    • Instruction Fuzzy Hash: DB113BF2900705ABCB248F15CCC095A77A9EB94358B00073FFE06562D1E635DA5986DA
                                                                                                    Function 00407D33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,0040140F,?,?,?,?,0044CF78,0000000C), ref: 00407D68
                                                                                                    • memset.MSVCRT ref: 00407D79
                                                                                                    • memcpy.MSVCRT(00450914,?,00000000,00000000,00000000,00000000,00000000,?,?,0040140F,?,?,?,?,0044CF78,0000000C), ref: 00407D85
                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00407D92
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 1865533344-0
                                                                                                    • Opcode ID: 872aa7d39a6b2f652531c2f1d24dade4a88e39d8face8cd0d9c8ed6b9a35d079
                                                                                                    • Instruction ID: e24a5276dafad98c161ef6ad34afde8f808320b1c4234a0015a7989cc473ef50
                                                                                                    • Opcode Fuzzy Hash: 872aa7d39a6b2f652531c2f1d24dade4a88e39d8face8cd0d9c8ed6b9a35d079
                                                                                                    • Instruction Fuzzy Hash: 12118C71608601AFD328CF2DC881A27F7E9FFD8300B20892EE59A87395DA35E801CB15
                                                                                                    Function 00410880 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SHGetMalloc.SHELL32(?), ref: 00410890
                                                                                                    • SHBrowseForFolder.SHELL32(?), ref: 004108C2
                                                                                                    • SHGetPathFromIDList.SHELL32(00000000,?), ref: 004108D6
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 004108E9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: BrowseFolderFromListMallocPath_mbscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 1479990042-0
                                                                                                    • Opcode ID: 3753829cb073f40f4471594610d53b7e9f12ad6488aa9b3d51b15237d3a7a1f5
                                                                                                    • Instruction ID: 22dc721301a1029169844026e50c0f3522bcecfb2be71eae7d1720ca74c813ee
                                                                                                    • Opcode Fuzzy Hash: 3753829cb073f40f4471594610d53b7e9f12ad6488aa9b3d51b15237d3a7a1f5
                                                                                                    • Instruction Fuzzy Hash: D311FAB5900208AFDB00DFA9D8849EEBBFCFB49314B10406AEA05E7201D774DA45CFA4
                                                                                                    Function 0040B65E Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00408B27: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408BF0
                                                                                                      • Part of subcall function 00408B27: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,74DF0A60), ref: 00408C2F
                                                                                                    • sprintf.MSVCRT ref: 0040B684
                                                                                                    • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B6E7
                                                                                                      • Part of subcall function 00408B27: _mbscpy.MSVCRT(00451308,strings,?,?,00409A4F,?,?,?,?,?,00000000,74DF0A60), ref: 00408BA2
                                                                                                      • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                                                                                    • sprintf.MSVCRT ref: 0040B6AE
                                                                                                    • _mbscat.MSVCRT ref: 0040B6C1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 203655857-0
                                                                                                    • Opcode ID: 4122b5d329f0bef8ed7c67869eb41ffad0da3a92ea72a54accba5408fcaa86aa
                                                                                                    • Instruction ID: c6c9d64871d24126578c2fffe8df42e6a01bd33b4583c5a66007e13a3507ac6b
                                                                                                    • Opcode Fuzzy Hash: 4122b5d329f0bef8ed7c67869eb41ffad0da3a92ea72a54accba5408fcaa86aa
                                                                                                    • Instruction Fuzzy Hash: CA018BB650030467EB21B775CC86FE773ACAB04304F04047BB656F51D3DA79E9848A6D
                                                                                                    Function 0040AB21 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040AB44
                                                                                                    • memset.MSVCRT ref: 0040AB5A
                                                                                                      • Part of subcall function 0040A245: _mbscpy.MSVCRT(00000000,?,0040A92E,?,?,?), ref: 0040A24A
                                                                                                      • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                                                                                    • sprintf.MSVCRT ref: 0040AB84
                                                                                                      • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                      • Part of subcall function 00406AD1: WriteFile.KERNEL32(00445BB0,00000001,00000000,74DF0A60,00000000,?,?,0040A51A,00000001,00445BB0,74DF0A60), ref: 00406AEB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                    • String ID: </%s>
                                                                                                    • API String ID: 3699762281-259020660
                                                                                                    • Opcode ID: 6f49f65094e7ad20563e423a9375ab60d237aa31118833911ccdf35c2fa2a86b
                                                                                                    • Instruction ID: 40662a85ba39df66ab9e9dfe1085b05053bd092a42c83a93ebfe6a452f4dfa53
                                                                                                    • Opcode Fuzzy Hash: 6f49f65094e7ad20563e423a9375ab60d237aa31118833911ccdf35c2fa2a86b
                                                                                                    • Instruction Fuzzy Hash: F501F9729001296BE720A659DC45FDA776CAF45304F0400FAB60DF3182DB749E548BA5
                                                                                                    Function 00417F87 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00417026: memcmp.MSVCRT(?,00448068,00000008), ref: 004170E8
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418052
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041809C
                                                                                                    Strings
                                                                                                    • recovered %d pages from %s, xrefs: 004181E0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                                                                                    • String ID: recovered %d pages from %s
                                                                                                    • API String ID: 985450955-1623757624
                                                                                                    • Opcode ID: c4450c0102bf865a63ac163fe36e3a31a4afa75d4e4d7d6d0037f9da08a88eac
                                                                                                    • Instruction ID: 8cbc4ab102da2e195dd9e93f7cc9c8da370606533bae9fcdbaff4d8649daaf64
                                                                                                    • Opcode Fuzzy Hash: c4450c0102bf865a63ac163fe36e3a31a4afa75d4e4d7d6d0037f9da08a88eac
                                                                                                    • Instruction Fuzzy Hash: 7981A076900604AFDF21CB68C880AEFB7F5AF88314F15441EE95597341DB39A986CB68
                                                                                                    Function 004021F6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _ultoasprintf
                                                                                                    • String ID: %s %s %s
                                                                                                    • API String ID: 432394123-3850900253
                                                                                                    • Opcode ID: 83da732085abb5c1b1bfcd07ba1e19e1c96f71f81e02b5871a6b8f1e5a5d5de2
                                                                                                    • Instruction ID: 4eecb7ebe0e72788cc5a9ba801a24b7f953e3738518a64b6aa949e1543d7b5d3
                                                                                                    • Opcode Fuzzy Hash: 83da732085abb5c1b1bfcd07ba1e19e1c96f71f81e02b5871a6b8f1e5a5d5de2
                                                                                                    • Instruction Fuzzy Hash: AD41C431804A1987D538D5B4878DBEB62A8A702304F5504BFEC9AB32D1D7FCAE45866E
                                                                                                    Function 004095D9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(?,0000101A,00000000,?), ref: 00409655
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend
                                                                                                    • String ID: "$lD
                                                                                                    • API String ID: 3850602802-3281613384
                                                                                                    • Opcode ID: 4b904691b5c918cf61e749542f30e01049ce81fe27a5be6eabc972c01c7eee2d
                                                                                                    • Instruction ID: 4330ad5c46c1125b17808f97a024c0297777867a6b1a918becbcc9421b7f13c5
                                                                                                    • Opcode Fuzzy Hash: 4b904691b5c918cf61e749542f30e01049ce81fe27a5be6eabc972c01c7eee2d
                                                                                                    • Instruction Fuzzy Hash: CA11A071A006049ECB149F66C8D08BEB7F9FB94308B10883FD096E7282C7799D82CB48
                                                                                                    Function 004086A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,0040EC43,?,00000000,?,?,?,?,?,?), ref: 004086C3
                                                                                                      • Part of subcall function 00407691: ??3@YAXPAX@Z.MSVCRT(00000000,004068A1), ref: 00407698
                                                                                                      • Part of subcall function 00407691: ??2@YAPAXI@Z.MSVCRT(00000000,004068A1), ref: 004076A6
                                                                                                      • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                                                                                    • CloseHandle.KERNEL32(?,?), ref: 0040870D
                                                                                                      • Part of subcall function 0040767C: ??3@YAXPAX@Z.MSVCRT(00000000,00404107,?,?,004041CC), ref: 00407683
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$??3@$??2@CloseCreateHandleReadSize
                                                                                                    • String ID: C@
                                                                                                    • API String ID: 1449862175-3201871010
                                                                                                    • Opcode ID: 92abf9dbbd4dfb48846a4ff60d59a2d43eb142c3fb78a89c8fbbacc06cb7bc7b
                                                                                                    • Instruction ID: 7447114fd14c0d02a0ee842544e77a6286768af896f3cc7789f687588c6d710a
                                                                                                    • Opcode Fuzzy Hash: 92abf9dbbd4dfb48846a4ff60d59a2d43eb142c3fb78a89c8fbbacc06cb7bc7b
                                                                                                    • Instruction Fuzzy Hash: 88018871C04118AFDB00AF65DC45A8F7FB8DF05364F11C166F855B7191DB349A05CBA5
                                                                                                    Function 00407211 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscpy
                                                                                                    • String ID: L$ini
                                                                                                    • API String ID: 714388716-4234614086
                                                                                                    • Opcode ID: 40617556e3c7fadddb40d0723bbaf5de75b625f9ab2653ee00342fdf7e802ddb
                                                                                                    • Instruction ID: f535223de382355a817e33459d0294d4a206ca3c03f6505affaa6c17102478c3
                                                                                                    • Opcode Fuzzy Hash: 40617556e3c7fadddb40d0723bbaf5de75b625f9ab2653ee00342fdf7e802ddb
                                                                                                    • Instruction Fuzzy Hash: CE01B2B1D10218AFDF40DFA9D845ADEBBF4BB08348F14812AE515E6240EBB895458F99
                                                                                                    Function 0041104F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • failed memory resize %u to %u bytes, xrefs: 00411074
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _msizerealloc
                                                                                                    • String ID: failed memory resize %u to %u bytes
                                                                                                    • API String ID: 2713192863-2134078882
                                                                                                    • Opcode ID: f373e1ad7fcf1c0b49eed94f59212a9c5cf39ccd3639a4d1fec466c2720d2c36
                                                                                                    • Instruction ID: 1811babadabc61a025a406b62bb89d9ddf1cf6d87da65dd644d5d85db6a8a765
                                                                                                    • Opcode Fuzzy Hash: f373e1ad7fcf1c0b49eed94f59212a9c5cf39ccd3639a4d1fec466c2720d2c36
                                                                                                    • Instruction Fuzzy Hash: 12D0C23290C2207EEA122644BC06A5BBB91DF90370F10C51FF618951A0DA3A8CA0638A
                                                                                                    Function 00408DE1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadMenuA.USER32(00000000), ref: 00408DE9
                                                                                                    • sprintf.MSVCRT ref: 00408E0C
                                                                                                      • Part of subcall function 00408C8C: GetMenuItemCount.USER32(?), ref: 00408CA2
                                                                                                      • Part of subcall function 00408C8C: memset.MSVCRT ref: 00408CC6
                                                                                                      • Part of subcall function 00408C8C: GetMenuItemInfoA.USER32(?), ref: 00408CFC
                                                                                                      • Part of subcall function 00408C8C: memset.MSVCRT ref: 00408D29
                                                                                                      • Part of subcall function 00408C8C: strchr.MSVCRT ref: 00408D35
                                                                                                      • Part of subcall function 00408C8C: _mbscat.MSVCRT ref: 00408D90
                                                                                                      • Part of subcall function 00408C8C: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00408DAC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                    • String ID: menu_%d
                                                                                                    • API String ID: 1129539653-2417748251
                                                                                                    • Opcode ID: 30b56b049a2eb5bda87ce11c85315f509722c2b72e9c228685a229b9196fe7c0
                                                                                                    • Instruction ID: fc9d5e34a24bd2be33db7f468ba420a1802cee0dbde2c18454a4e056650a0418
                                                                                                    • Opcode Fuzzy Hash: 30b56b049a2eb5bda87ce11c85315f509722c2b72e9c228685a229b9196fe7c0
                                                                                                    • Instruction Fuzzy Hash: 96D0C23064174022FB3023266D0EF4B29595BC3B47F1400AEF400B10D2CBBC400486BE
                                                                                                    Function 00409570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406D34: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409576,00000000,00409494,?,00000000,00000104,?), ref: 00406D3F
                                                                                                    • strrchr.MSVCRT ref: 00409579
                                                                                                    • _mbscat.MSVCRT ref: 0040958E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileModuleName_mbscatstrrchr
                                                                                                    • String ID: _lng.ini
                                                                                                    • API String ID: 3334749609-1948609170
                                                                                                    • Opcode ID: cbeadcb365c5e1059abcdd69aa521e3befff016931b47f237a8ed2b0a3b7c0c9
                                                                                                    • Instruction ID: 2d2b68270352c45da0ce721119a0fec427a5e2ae0c2a4fc26ba4743072087242
                                                                                                    • Opcode Fuzzy Hash: cbeadcb365c5e1059abcdd69aa521e3befff016931b47f237a8ed2b0a3b7c0c9
                                                                                                    • Instruction Fuzzy Hash: 25C080521466A024F1173222AD03B4F05844F5370CF25005BFD01351C3EF9D453141FF
                                                                                                    Function 00406E81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,0040210D,00000000,nss3.dll), ref: 00406E89
                                                                                                      • Part of subcall function 00406AF3: strlen.MSVCRT ref: 00406AF4
                                                                                                      • Part of subcall function 00406AF3: _mbscat.MSVCRT ref: 00406B0B
                                                                                                    • _mbscat.MSVCRT ref: 00406E98
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscat$_mbscpystrlen
                                                                                                    • String ID: sqlite3.dll
                                                                                                    • API String ID: 1983510840-1155512374
                                                                                                    • Opcode ID: e9aa28a1aba75e1ed8dd627c1ecc989c913cd1d7d34d9111dace04d596deddf2
                                                                                                    • Instruction ID: b4f080e30331be102d7f345a143f57ec91a882a22c28ed8e87256c61ce2af050
                                                                                                    • Opcode Fuzzy Hash: e9aa28a1aba75e1ed8dd627c1ecc989c913cd1d7d34d9111dace04d596deddf2
                                                                                                    • Instruction Fuzzy Hash: E3C0803240513125BB0177717C028AF7D48DF82394B01046EF58561111DD694D3255EB
                                                                                                    Function 00407159 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 0040715F
                                                                                                    • SetWindowLongA.USER32(00000001,000000EC,00000000), ref: 00407171
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LongWindow
                                                                                                    • String ID: MZ@
                                                                                                    • API String ID: 1378638983-2978689999
                                                                                                    • Opcode ID: 62d406e91696c119d1ef4349822734d3511295de081a498f539da8bd6014a39e
                                                                                                    • Instruction ID: 804470ff31f0757d593f161739aa594d3f3a9703a836b83944ab3f82d4068dae
                                                                                                    • Opcode Fuzzy Hash: 62d406e91696c119d1ef4349822734d3511295de081a498f539da8bd6014a39e
                                                                                                    • Instruction Fuzzy Hash: 55C0123015C4176BCF001B24EC05E163E54B782321F2047717067D00F2C7704400A904
                                                                                                    Function 004033A2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044551F,34@,0000007F,?), ref: 004033BA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileString
                                                                                                    • String ID: 34@$Server Details
                                                                                                    • API String ID: 1096422788-1041202369
                                                                                                    • Opcode ID: c5e07b1729637358d3cbf99362b971886faaa8c49ae95f38c817c63fe3903b9a
                                                                                                    • Instruction ID: 5dc36b059aaaf95d4d37dbe6dd28276a8f332030ee7f3b0879c7395586969e1a
                                                                                                    • Opcode Fuzzy Hash: c5e07b1729637358d3cbf99362b971886faaa8c49ae95f38c817c63fe3903b9a
                                                                                                    • Instruction Fuzzy Hash: FFC04C36948B01BBDE029F909D05F1EBE62BBA8B01F504519F285210AB82754524EB26
                                                                                                    Function 0042BE74 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,?,0000201C), ref: 0042BF32
                                                                                                    • memcpy.MSVCRT(?,?,?), ref: 0042BF68
                                                                                                    • memset.MSVCRT ref: 0042BF83
                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042BFBF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 438689982-0
                                                                                                    • Opcode ID: f2cf12dda973bb4c216f8cbd091c1f622c493a2bbdd48a3f51df23d375ad87cf
                                                                                                    • Instruction ID: 1cbfd9147006f86015284e0c7f96a5a033359537089e49602f9f07bbf2bf02d4
                                                                                                    • Opcode Fuzzy Hash: f2cf12dda973bb4c216f8cbd091c1f622c493a2bbdd48a3f51df23d375ad87cf
                                                                                                    • Instruction Fuzzy Hash: B761DE72604702AFDB20DF65E981A6BB7E4FF44304F44492EFA5982250D738ED54CBDA
                                                                                                    Function 004081FD Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • strlen.MSVCRT ref: 0040820C
                                                                                                    • memset.MSVCRT ref: 00408244
                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,75A8EB20,?,00000000), ref: 00408301
                                                                                                    • LocalFree.KERNEL32(00000000,?,?,?,?,75A8EB20,?,00000000), ref: 0040832C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3110682361-0
                                                                                                    • Opcode ID: 6a7b548f29a88bb164d7db8396ffa993919f03bd7a702a17bdc889a97222cfb3
                                                                                                    • Instruction ID: 82d09d3ec766172f421874171fbd662b4eebf604b8883e80537bb62e226e9057
                                                                                                    • Opcode Fuzzy Hash: 6a7b548f29a88bb164d7db8396ffa993919f03bd7a702a17bdc889a97222cfb3
                                                                                                    • Instruction Fuzzy Hash: 0631F832D0011D9BDF10DB64CD81BDEBBB8EF55314F1005BAE984B7281DA799E85CB94
                                                                                                    Function 00415B07 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00415B30
                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00415B54
                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00415B7B
                                                                                                    • memcpy.MSVCRT(?,?,00000008), ref: 00415BA1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 3510742995-0
                                                                                                    • Opcode ID: fabc9ae393473dab2d99963d71926c72f988121b711c3d64f0b7c32c5eef3d59
                                                                                                    • Instruction ID: c59a560e0875e34eddc7238b356bca14a42e0d2f6379eea325777a24e0ec34d0
                                                                                                    • Opcode Fuzzy Hash: fabc9ae393473dab2d99963d71926c72f988121b711c3d64f0b7c32c5eef3d59
                                                                                                    • Instruction Fuzzy Hash: 2E11E6B7D00618ABDB01DFA4DC899DEB7ACEB49310F414836FA05CB140E634E2488799
                                                                                                    Function 004096FB Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00407142: memset.MSVCRT ref: 00407150
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,?,00404016,00000000,?,0040CA4D,00000000), ref: 00409710
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,00404016,00000000,?,0040CA4D,00000000), ref: 00409739
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,00404016,00000000,?,0040CA4D,00000000), ref: 0040975A
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,00404016,00000000,?,0040CA4D,00000000), ref: 0040977B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 1860491036-0
                                                                                                    • Opcode ID: 62f2e249397fd1a2ca60cf8b2d80239c75cf052ee3fd894fe4fd363b7384249c
                                                                                                    • Instruction ID: 34b624653e935ab7e36b2538589d62cee4ebe89d27a66743b3a416ac641d4af2
                                                                                                    • Opcode Fuzzy Hash: 62f2e249397fd1a2ca60cf8b2d80239c75cf052ee3fd894fe4fd363b7384249c
                                                                                                    • Instruction Fuzzy Hash: 8321B3B5A65300CEE7559F6A9845915FBE4FF90310B2AC8BF9218DB2B2D7B8C8408B15
                                                                                                    Function 004076FD Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • strlen.MSVCRT ref: 00407709
                                                                                                    • free.MSVCRT ref: 00407729
                                                                                                      • Part of subcall function 00406CCE: malloc.MSVCRT ref: 00406CEA
                                                                                                      • Part of subcall function 00406CCE: memcpy.MSVCRT(00000000,00000000,00000000,00000000,74DF0A60,004077D2,00000001,?,00000000,74DF0A60,00407B4C,00000000,?,?), ref: 00406D02
                                                                                                      • Part of subcall function 00406CCE: free.MSVCRT ref: 00406D0B
                                                                                                    • free.MSVCRT ref: 0040774C
                                                                                                    • memcpy.MSVCRT(?,?,?,00000001,?,00000000,?,?,00407B93,?,00000000,?,?), ref: 0040776C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.2749785905.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.2749785905.000000000044F000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.2749785905.0000000000452000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$memcpy$mallocstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3669619086-0
                                                                                                    • Opcode ID: 5a728dae3c8c340d401125afcd4c8680a2fa5bf69a889e80920912f063c18ec5
                                                                                                    • Instruction ID: 5e9a081d75c64704428ce8041afbbeb9d52fcced2ab343c8e96fa08cc39daf7c
                                                                                                    • Opcode Fuzzy Hash: 5a728dae3c8c340d401125afcd4c8680a2fa5bf69a889e80920912f063c18ec5
                                                                                                    • Instruction Fuzzy Hash: E411DF71200600DFD730EF18D981D9AB7F5EF443247108A2EF552A7692C736B919CB54

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:14%
                                                                                                    Dynamic/Decrypted Code Coverage:4%
                                                                                                    Signature Coverage:2.8%
                                                                                                    Total number of Nodes:1700
                                                                                                    Total number of Limit Nodes:51
                                                                                                    execution_graph 6156 411e70 6159 411d37 6156->6159 6158 411e90 6160 411d43 6159->6160 6161 411d55 GetPrivateProfileIntA 6159->6161 6164 411c43 memset _itoa WritePrivateProfileStringA 6160->6164 6161->6158 6163 411d50 6163->6158 6164->6163 6769 4140f2 6770 414102 6769->6770 6771 4140fb ??3@YAXPAX 6769->6771 6772 414112 6770->6772 6773 41410b ??3@YAXPAX 6770->6773 6771->6770 6774 414122 6772->6774 6775 41411b ??3@YAXPAX 6772->6775 6773->6772 6776 414132 6774->6776 6777 41412b ??3@YAXPAX 6774->6777 6775->6774 6777->6776 6778 40f105 6779 40f117 6778->6779 6780 40f12a 6778->6780 6779->6780 6987 40e54d 6779->6987 6781 40f136 6780->6781 6821 40da79 6780->6821 6784 40f14c 6781->6784 6998 40dfd9 6781->6998 6785 40f167 6784->6785 7010 40e0a1 6784->7010 6786 40f173 6785->6786 6855 40e725 6785->6855 6790 40f191 6786->6790 6868 40260a 6786->6868 6792 40f1af 6790->6792 6879 402834 6790->6879 6794 40f1bb 6792->6794 7023 40eb3d 6792->7023 6795 40f1c9 6794->6795 7040 40ea56 6794->7040 6798 40f1e7 6795->6798 6799 40f1cf 6795->6799 6801 40f1f2 6798->6801 6891 40d9b9 memset memset 6798->6891 7057 40efc1 6799->7057 6804 40f1fe 6801->6804 6898 40d935 memset GetWindowsDirectoryA GetVolumeInformationA 6801->6898 6807 40f232 6804->6807 6903 407f7e 6804->6903 6805 40efc1 34 API calls 6805->6798 6808 40f250 6807->6808 6933 410b95 memset memset 6807->6933 6812 40f26f 6808->6812 6944 410f07 6808->6944 6815 40f27f 6812->6815 6959 40f09c memset 6812->6959 6969 40e675 memset 6815->6969 7071 40fd01 memset memset 6821->7071 6823 40dab7 RegOpenKeyExA 6826 40daa9 6823->6826 6824 40daed RegOpenKeyExA 6824->6826 6826->6823 6826->6824 6828 40db7b RegOpenKeyExA 6826->6828 6829 406958 strlen memcpy 6826->6829 7072 40ff88 6826->7072 7123 40fe5d RegQueryValueExA 6826->7123 6830 40dbaf 6828->6830 6831 40db95 6828->6831 6829->6826 6833 40dc11 RegOpenKeyExA 6830->6833 6834 406958 2 API calls 6830->6834 7136 40fd2e RegQueryValueExA 6831->7136 6835 40dc45 6833->6835 6836 40dc2b 6833->6836 6837 40dbe0 6834->6837 6839 40dc89 6835->6839 6841 406958 2 API calls 6835->6841 6838 40fd2e 9 API calls 6836->6838 6840 406958 2 API calls 6837->6840 6838->6835 7085 4103f1 6839->7085 6842 40dbf3 6840->6842 6844 40dc76 6841->6844 6842->6833 6846 406958 2 API calls 6844->6846 6846->6839 6849 40dcd8 7149 404ce0 6849->7149 6853 404ce0 FreeLibrary 6854 40dce8 6853->6854 6854->6781 7479 411d68 RegOpenKeyExA 6855->7479 6857 40e744 6858 40e8f3 6857->6858 6859 40e74f memset memset memset memset 6857->6859 6858->6786 7480 411dee RegEnumKeyExA 6859->7480 6861 40e7c5 sprintf 6863 411dae 3 API calls 6861->6863 6862 40e8ea RegCloseKey 6862->6858 6866 40e7bd 6863->6866 6864 40e803 strlen 6864->6866 6866->6861 6866->6862 6866->6864 6867 40e85b _mbscpy _mbscpy 6866->6867 7481 411dee RegEnumKeyExA 6866->7481 6867->6866 6869 406b2a GetVersionExA 6868->6869 6870 40261a 6869->6870 6871 402622 RegOpenKeyExW 6870->6871 6872 40272a 6870->6872 6871->6872 6873 402646 memset memset 6871->6873 6872->6790 6874 40270a RegEnumValueW 6873->6874 6875 402721 RegCloseKey 6874->6875 6876 4026a8 wcscpy 6874->6876 6875->6872 7482 40244d memset WideCharToMultiByte 6876->7482 7489 411d68 RegOpenKeyExA 6879->7489 6881 402850 6882 4028e3 6881->6882 6883 40285b memset 6881->6883 6882->6792 7490 411dee RegEnumKeyExA 6883->7490 6885 4028dc RegCloseKey 6885->6882 6887 402888 6887->6885 7491 411d68 RegOpenKeyExA 6887->7491 7492 402730 6887->7492 7499 411dee RegEnumKeyExA 6887->7499 7500 413735 memset 6891->7500 6894 40da53 6894->6801 6895 406958 2 API calls 6896 40da40 6895->6896 6897 406958 2 API calls 6896->6897 6897->6894 7585 40d794 6898->7585 6901 40d9b3 6901->6804 6902 40d794 24 API calls 6902->6901 6904 407f8b 6903->6904 7614 407c79 11 API calls 6904->7614 6908 407fa8 6909 407fb3 memset 6908->6909 6910 408077 6908->6910 7617 411dee RegEnumKeyExA 6909->7617 6921 407bc6 6910->6921 6912 408072 RegCloseKey 6912->6910 6914 407fe4 6914->6912 6915 408006 memset 6914->6915 7618 411d68 RegOpenKeyExA 6914->7618 7632 411dee RegEnumKeyExA 6914->7632 6916 411d82 RegQueryValueExA 6915->6916 6918 408039 6916->6918 7619 407e33 strlen 6918->7619 7633 411d68 RegOpenKeyExA 6921->7633 6923 407be4 6924 407c73 6923->6924 6925 407bef memset 6923->6925 6924->6807 7634 411dee RegEnumKeyExA 6925->7634 6927 407c6e RegCloseKey 6927->6924 6929 407c1d 6929->6927 7635 411d68 RegOpenKeyExA 6929->7635 7636 407a93 memset RegQueryValueExA 6929->7636 7649 411dee RegEnumKeyExA 6929->7649 6934 41223f 10 API calls 6933->6934 6935 410be4 strlen strlen 6934->6935 6936 410c07 6935->6936 6937 410c1a 6935->6937 6938 406b4b 4 API calls 6936->6938 7650 4069d3 GetFileAttributesA 6937->7650 6938->6937 6940 410c31 6941 410c45 6940->6941 6942 410c36 6940->6942 6941->6808 7651 410ac5 6942->7651 7703 411d68 RegOpenKeyExA 6944->7703 6946 410f25 6947 410f30 memset 6946->6947 6948 411025 6946->6948 7704 411dee RegEnumKeyExA 6947->7704 6948->6812 6950 41101c RegCloseKey 6950->6948 6952 410f5d 6952->6950 6953 410f7f memset 6952->6953 6956 411d82 RegQueryValueExA 6952->6956 6958 410ff3 RegCloseKey 6952->6958 7705 411d68 RegOpenKeyExA 6952->7705 7706 410e85 strlen 6952->7706 7708 411dee RegEnumKeyExA 6952->7708 6954 411d82 RegQueryValueExA 6953->6954 6954->6952 6956->6952 6958->6952 6960 41223f 10 API calls 6959->6960 6961 40f0db 6960->6961 6962 406efe 3 API calls 6961->6962 6963 40f0e5 6962->6963 7709 4069d3 GetFileAttributesA 6963->7709 6965 40f0ee 6966 40f0f3 6965->6966 6967 40f0ff 6965->6967 7710 405ae8 6966->7710 6967->6815 7736 40f9a0 6969->7736 6972 40e6bc 7747 4064fb 6972->7747 6977 40e5d3 6978 40e5e9 6977->6978 6979 407364 7 API calls 6978->6979 6980 40e644 6979->6980 7916 4085b9 6980->7916 6984 40e661 7934 40819f 6984->7934 8015 40e4b6 memset strlen strlen 6987->8015 6989 40e5cb 6989->6780 6991 40783b 9 API calls 6996 40e592 6991->6996 6992 407898 9 API calls 6992->6996 6993 40e5c0 6995 407930 FindClose 6993->6995 6994 407800 2 API calls 6994->6996 6995->6989 6996->6992 6996->6993 6996->6994 6997 40e54d 33 API calls 6996->6997 6997->6996 6999 40e012 6998->6999 7001 40e05d 6999->7001 7002 40e031 6999->7002 8040 40dd65 6999->8040 7001->6784 7003 40783b 9 API calls 7002->7003 7008 40e05b 7003->7008 7004 407898 9 API calls 7004->7008 7005 40e08e 7007 407930 FindClose 7005->7007 7006 407800 2 API calls 7006->7008 7007->7001 7008->7004 7008->7005 7008->7006 7009 40dfd9 30 API calls 7008->7009 7009->7008 7011 414060 7010->7011 7012 40e0ae memset strlen strlen 7011->7012 7013 40e0fe GetPrivateProfileIntA 7012->7013 7014 40e0eb 7012->7014 7017 40e28c 7013->7017 7022 40e12e 7013->7022 7016 406b4b 4 API calls 7014->7016 7016->7013 7017->6785 7018 40e133 8 API calls 7018->7022 7019 4029d9 strlen 7019->7022 7020 40dcf2 strtoul 7020->7022 7021 406958 strlen memcpy 7021->7022 7022->7017 7022->7018 7022->7019 7022->7020 7022->7021 7024 40ec1a 7023->7024 7025 40eb5c memset strlen strlen 7023->7025 7024->6794 7026 40eb93 7025->7026 7027 40eba9 7025->7027 7028 406b4b 4 API calls 7026->7028 7027->7024 8059 4069d3 GetFileAttributesA 7027->8059 7028->7027 7030 40ebc8 7030->7024 8060 412d65 7030->8060 7034 40ebfd 7035 40ec0f 7034->7035 8081 412f4b 7034->8081 8101 412e4d 7035->8101 7041 40eb33 7040->7041 7042 40ea75 memset strlen strlen 7040->7042 7041->6795 7043 40eac2 7042->7043 7044 40eaac 7042->7044 7043->7041 8152 4069d3 GetFileAttributesA 7043->8152 7045 406b4b 4 API calls 7044->7045 7045->7043 7047 40eae1 7047->7041 7048 412d65 6 API calls 7047->7048 7049 40eaf1 7048->7049 7050 412f02 6 API calls 7049->7050 7051 40eb16 7050->7051 7052 40eb28 7051->7052 7053 412f4b 12 API calls 7051->7053 7054 412e4d 9 API calls 7052->7054 7055 40eb21 7053->7055 7054->7041 7056 40d1a5 22 API calls 7055->7056 7056->7052 7058 40f093 7057->7058 7059 40efd6 7057->7059 7058->6805 7060 40783b 9 API calls 7059->7060 7061 40effd 7060->7061 7062 407898 9 API calls 7061->7062 7067 40f008 7062->7067 7063 40f088 7064 407930 FindClose 7063->7064 7064->7058 7066 407898 9 API calls 7066->7067 7067->7063 7067->7066 7069 40f076 CloseHandle 7067->7069 7070 40f05d CloseHandle 7067->7070 8153 4067ba CreateFileA 7067->8153 8154 40f8a8 7067->8154 7069->7067 7070->7067 7071->6826 7152 404109 7072->7152 7075 410085 7168 404170 7075->7168 7079 404ce0 FreeLibrary 7080 41009c 7079->7080 7080->6826 7081 40ffbb 7081->7075 7082 41003a WideCharToMultiByte 7081->7082 7083 410061 WideCharToMultiByte 7082->7083 7084 41007a LocalFree 7082->7084 7083->7084 7084->7075 7086 414060 7085->7086 7087 4103fe RegOpenKeyExA 7086->7087 7088 40dcc1 7087->7088 7089 410428 RegOpenKeyExA 7087->7089 7099 410205 7088->7099 7090 410440 RegQueryValueExA 7089->7090 7091 41050f RegCloseKey 7089->7091 7092 410506 RegCloseKey 7090->7092 7093 41046d 7090->7093 7091->7088 7092->7091 7094 404c9d 3 API calls 7093->7094 7095 41047a 7094->7095 7095->7092 7096 4104fd LocalFree 7095->7096 7097 4104bf memcpy memcpy 7095->7097 7096->7092 7171 4100a4 7097->7171 7187 406b3b 7099->7187 7102 404109 5 API calls 7111 41023a 7102->7111 7103 41036e 7104 404170 FreeLibrary 7103->7104 7105 40dcca 7104->7105 7105->6849 7112 410383 7105->7112 7106 410296 memset WideCharToMultiByte 7107 4102d1 _strnicmp 7106->7107 7106->7111 7107->7111 7109 4102f6 WideCharToMultiByte 7110 410316 WideCharToMultiByte 7109->7110 7109->7111 7110->7111 7111->7103 7111->7106 7190 40fd01 memset memset 7111->7190 7113 406b06 GetVersionExA 7112->7113 7115 41038e 7113->7115 7114 4103ed 7114->6849 7115->7114 7191 4028e7 7115->7191 7118 4103ca 7200 404380 memset 7118->7200 7119 4103ba _mbscpy 7119->7118 7122 404380 152 API calls 7122->7114 7124 40ff74 RegCloseKey 7123->7124 7125 40fe9a 7123->7125 7124->6826 7125->7124 7126 40ff18 7125->7126 7127 404c9d 3 API calls 7125->7127 7128 40ff60 7126->7128 7477 4029d9 strlen 7126->7477 7133 40fec1 7127->7133 7128->7124 7130 40ff10 7132 404ce0 FreeLibrary 7130->7132 7131 40ff3e RegQueryValueExA 7131->7128 7132->7126 7133->7130 7134 40fef1 memcpy 7133->7134 7135 40ff07 LocalFree 7133->7135 7134->7135 7135->7130 7137 40fe48 RegCloseKey 7136->7137 7138 40fd6c 7136->7138 7137->6830 7138->7137 7139 404c9d 3 API calls 7138->7139 7143 40fd97 7139->7143 7140 40fdec 7141 404ce0 FreeLibrary 7140->7141 7142 40fdf4 7141->7142 7142->7137 7146 4029d9 strlen 7142->7146 7143->7140 7144 40fde3 LocalFree 7143->7144 7145 40fdc7 memcpy 7143->7145 7144->7140 7145->7144 7147 40fe17 RegQueryValueExA 7146->7147 7147->7137 7148 40fe35 7147->7148 7148->7137 7150 404cf4 7149->7150 7151 404cea FreeLibrary 7149->7151 7150->6853 7151->7150 7153 404170 FreeLibrary 7152->7153 7154 404111 LoadLibraryA 7153->7154 7155 404122 GetProcAddress GetProcAddress GetProcAddress 7154->7155 7156 40416b 7154->7156 7157 404153 7155->7157 7156->7075 7160 404c9d 7156->7160 7158 404170 FreeLibrary 7157->7158 7159 40415d 7157->7159 7158->7156 7159->7156 7161 404ce0 FreeLibrary 7160->7161 7162 404ca5 LoadLibraryA 7161->7162 7163 404cd0 7162->7163 7164 404cb6 GetProcAddress 7162->7164 7165 404cdb 7163->7165 7167 404ce0 FreeLibrary 7163->7167 7164->7163 7166 404cc9 7164->7166 7165->7081 7166->7163 7167->7165 7169 404180 7168->7169 7170 404176 FreeLibrary 7168->7170 7169->7079 7170->7169 7172 414060 7171->7172 7173 4100b1 RegOpenKeyExA 7172->7173 7174 4100d6 memset 7173->7174 7175 4101fe 7173->7175 7176 4101e4 RegEnumKeyA 7174->7176 7175->7096 7177 410103 RegOpenKeyExA 7176->7177 7178 4101f5 RegCloseKey 7176->7178 7179 410125 RegQueryValueExA 7177->7179 7181 41014e 7177->7181 7178->7175 7180 4101cd RegCloseKey 7179->7180 7179->7181 7180->7181 7181->7176 7181->7180 7183 406958 2 API calls 7181->7183 7186 40fd01 memset memset 7181->7186 7184 41019d WideCharToMultiByte 7183->7184 7185 4101c2 LocalFree 7184->7185 7185->7180 7186->7181 7188 406b06 GetVersionExA 7187->7188 7189 406b40 7188->7189 7189->7102 7190->7109 7209 4066e3 7191->7209 7194 402918 7196 4066e3 strncat 7194->7196 7195 40293a 7195->7118 7195->7119 7197 402922 GetProcAddress 7196->7197 7198 402933 FreeLibrary 7197->7198 7199 40292e 7197->7199 7198->7195 7199->7198 7201 41223f 10 API calls 7200->7201 7202 4043b7 7201->7202 7203 40680e 2 API calls 7202->7203 7208 4043da 7202->7208 7204 4043c2 7203->7204 7213 406efe strlen strlen 7204->7213 7208->7122 7210 406712 7209->7210 7211 4066f0 strncat 7210->7211 7212 402901 GetModuleHandleA 7210->7212 7211->7210 7212->7194 7212->7195 7214 4043cc 7213->7214 7215 406f1b _mbscat 7213->7215 7216 4042aa 7214->7216 7215->7214 7230 40783b 7216->7230 7220 40436c 7266 407930 7220->7266 7223 406b3b GetVersionExA 7225 4042ee 7223->7225 7225->7220 7225->7223 7226 40430c _strnicmp 7225->7226 7228 4042aa 141 API calls 7225->7228 7229 407898 9 API calls 7225->7229 7248 404220 7225->7248 7262 407800 7225->7262 7226->7225 7228->7225 7229->7225 7231 407930 FindClose 7230->7231 7232 407846 7231->7232 7233 406958 2 API calls 7232->7233 7234 40785a strlen strlen 7233->7234 7235 407883 7234->7235 7236 4042e3 7234->7236 7237 406b4b 4 API calls 7235->7237 7238 407898 7236->7238 7237->7236 7239 4078a3 FindFirstFileA 7238->7239 7240 4078c4 FindNextFileA 7238->7240 7241 4078df 7239->7241 7242 4078e6 strlen strlen 7240->7242 7243 4078da 7240->7243 7241->7242 7247 40791f 7241->7247 7245 407916 7242->7245 7242->7247 7244 407930 FindClose 7243->7244 7244->7241 7246 406b4b 4 API calls 7245->7246 7246->7247 7247->7225 7269 4067ba CreateFileA 7248->7269 7250 404233 7251 4042a0 7250->7251 7252 40423e GetFileSize 7250->7252 7251->7225 7253 404253 ??2@YAPAXI 7252->7253 7254 404297 CloseHandle 7252->7254 7270 406ed6 ReadFile 7253->7270 7254->7251 7257 404290 ??3@YAXPAX 7257->7254 7258 406b3b GetVersionExA 7259 404275 7258->7259 7272 4049e6 7259->7272 7263 40780a strcmp 7262->7263 7265 407832 7262->7265 7264 407821 strcmp 7263->7264 7263->7265 7264->7265 7265->7225 7267 404377 7266->7267 7268 407939 FindClose 7266->7268 7267->7208 7268->7267 7269->7250 7271 404269 7270->7271 7271->7257 7271->7258 7311 4043e4 memset 7272->7311 7274 4049fc 7275 40428d 7274->7275 7276 404a04 OpenProcess 7274->7276 7275->7257 7276->7275 7277 404a1c memset GetModuleHandleA 7276->7277 7326 411ba1 7277->7326 7280 404a66 GetProcAddress 7281 404a61 7280->7281 7282 411ba1 6 API calls 7281->7282 7283 404a77 7282->7283 7284 404a82 7283->7284 7285 404a87 GetProcAddress 7283->7285 7286 411ba1 6 API calls 7284->7286 7285->7284 7287 404a98 7286->7287 7288 404aa3 7287->7288 7289 404aa8 GetProcAddress 7287->7289 7290 411ba1 6 API calls 7288->7290 7289->7288 7291 404ab9 7290->7291 7292 404ac4 7291->7292 7293 404ac9 GetProcAddress 7291->7293 7294 404acb VirtualAllocEx VirtualAllocEx VirtualAllocEx VirtualAllocEx 7292->7294 7293->7294 7295 404c57 VirtualFreeEx VirtualFreeEx VirtualFreeEx VirtualFreeEx CloseHandle 7294->7295 7296 404b2c 7294->7296 7295->7275 7296->7295 7297 404b46 WriteProcessMemory 7296->7297 7330 40496d _mbscat _mbscpy _mbscpy 7297->7330 7299 404b65 WriteProcessMemory WriteProcessMemory 7331 411fc6 GetVersionExA 7299->7331 7304 404c11 ??2@YAPAXI ReadProcessMemory 7306 404c31 7304->7306 7307 404c42 ??3@YAXPAX 7304->7307 7305 404c49 7305->7295 7308 404c4e FreeLibrary 7305->7308 7353 404915 7306->7353 7307->7305 7308->7295 7312 404436 _mbscpy 7311->7312 7313 404429 GetSystemDirectoryA 7311->7313 7314 40680e 2 API calls 7312->7314 7313->7312 7315 404450 7314->7315 7316 4028e7 4 API calls 7315->7316 7317 404455 7316->7317 7318 406efe 3 API calls 7317->7318 7319 40448f 7318->7319 7361 411147 7319->7361 7323 4044a3 7324 4044cd 7323->7324 7325 4044ac memcpy 7323->7325 7324->7274 7325->7324 7327 411bb3 GetModuleHandleA GetProcAddress 7326->7327 7328 404a50 7326->7328 7327->7328 7329 411be4 GetModuleHandleA GetProcAddress strlen strlen 7327->7329 7328->7280 7328->7281 7329->7328 7330->7299 7332 41206a CreateRemoteThread 7331->7332 7333 411fec 7331->7333 7335 404bac 7332->7335 7454 411f43 7333->7454 7336 4044de 7335->7336 7337 410daa 2 API calls 7336->7337 7339 4044f8 7337->7339 7338 404565 7340 404574 ResumeThread WaitForSingleObject CloseHandle memset ReadProcessMemory 7338->7340 7341 40456b FreeLibrary 7338->7341 7339->7338 7342 410d8a LoadLibraryA 7339->7342 7340->7304 7340->7305 7341->7340 7343 404509 7342->7343 7344 40455a CloseHandle 7343->7344 7345 40450d GetProcAddress 7343->7345 7344->7338 7346 404522 7345->7346 7347 404559 7345->7347 7346->7347 7348 410d8a LoadLibraryA 7346->7348 7347->7344 7349 404537 7348->7349 7350 404550 CloseHandle 7349->7350 7351 40453b GetProcAddress 7349->7351 7350->7347 7351->7350 7352 404549 7351->7352 7352->7350 7354 406b3b GetVersionExA 7353->7354 7355 40491c 7354->7355 7356 404939 7355->7356 7357 404920 7355->7357 7359 404937 7356->7359 7360 404890 15 API calls 7356->7360 7357->7359 7458 404890 7357->7458 7359->7307 7360->7356 7383 406b2a 7361->7383 7364 411150 7386 4110af 7364->7386 7365 411157 7396 41102b 7365->7396 7368 404495 7369 411560 7368->7369 7370 41156d 7369->7370 7371 406b2a GetVersionExA 7370->7371 7372 411575 7371->7372 7374 41158b memset K32EnumProcesses 7372->7374 7375 41161e 7372->7375 7373 411616 7373->7323 7374->7373 7377 4115c7 7374->7377 7375->7373 7379 411650 _mbscpy 7375->7379 7380 411696 CloseHandle 7375->7380 7377->7373 7404 4112d9 7377->7404 7417 411172 7377->7417 7433 41172b 7377->7433 7382 41172b 8 API calls 7379->7382 7380->7373 7382->7375 7384 406b06 GetVersionExA 7383->7384 7385 406b2f 7384->7385 7385->7364 7385->7365 7387 4110bc LoadLibraryA 7386->7387 7388 411145 7386->7388 7387->7388 7389 4110ce GetProcAddress 7387->7389 7388->7368 7390 41112a 7389->7390 7391 4110e6 GetProcAddress 7389->7391 7390->7388 7392 41113e FreeLibrary 7390->7392 7391->7390 7393 4110f7 GetProcAddress 7391->7393 7392->7388 7393->7390 7394 411108 GetProcAddress 7393->7394 7394->7390 7395 411119 GetProcAddress 7394->7395 7395->7390 7397 411034 GetModuleHandleA 7396->7397 7403 4110a2 7396->7403 7398 411046 GetProcAddress 7397->7398 7397->7403 7399 41105e GetProcAddress 7398->7399 7398->7403 7400 41106f GetProcAddress 7399->7400 7399->7403 7401 411080 GetProcAddress 7400->7401 7400->7403 7402 411091 GetProcAddress 7401->7402 7401->7403 7402->7403 7403->7368 7405 406b2a GetVersionExA 7404->7405 7406 4112ea 7405->7406 7407 41133e 7406->7407 7408 4112ee 7406->7408 7438 411255 7407->7438 7409 411350 7408->7409 7410 4112f6 OpenProcess 7408->7410 7409->7377 7410->7409 7412 41130b K32EnumProcessModules 7410->7412 7414 411320 K32GetModuleFileNameExA 7412->7414 7415 411335 CloseHandle 7412->7415 7414->7415 7416 411334 7414->7416 7415->7409 7416->7415 7418 411184 strchr 7417->7418 7419 411181 _mbscpy 7417->7419 7418->7419 7420 4111a4 7418->7420 7422 411250 7419->7422 7423 407139 3 API calls 7420->7423 7422->7377 7424 4111b3 7423->7424 7425 4111ba memset 7424->7425 7426 4111fd 7424->7426 7443 406bc3 7425->7443 7428 411202 memset 7426->7428 7429 411247 _mbscpy 7426->7429 7431 406bc3 2 API calls 7428->7431 7429->7422 7430 4111e0 _mbscpy _mbscat 7430->7422 7432 411228 memcpy _mbscat 7431->7432 7432->7422 7446 4116a9 strchr 7433->7446 7436 411743 memcpy 7437 411764 7436->7437 7437->7377 7439 4112b7 7438->7439 7440 411268 7438->7440 7439->7409 7440->7439 7441 4112b0 CloseHandle 7440->7441 7442 4112bc _mbscpy CloseHandle 7440->7442 7441->7439 7442->7439 7444 406bd2 GetWindowsDirectoryA 7443->7444 7445 406be3 _mbscpy 7443->7445 7444->7445 7445->7430 7447 4116d2 strchr 7446->7447 7452 4116c0 7446->7452 7448 4116ec memset 7447->7448 7447->7452 7450 406a87 _mbscpy strrchr 7448->7450 7449 4116c4 _strcmpi 7451 4116cb 7449->7451 7453 411715 _strcmpi 7450->7453 7451->7436 7451->7437 7452->7449 7453->7451 7455 411f4e LoadLibraryA 7454->7455 7457 411fc1 7454->7457 7456 411f63 GetProcAddress 7455->7456 7455->7457 7456->7457 7457->7335 7459 406b3b GetVersionExA 7458->7459 7460 4048a2 7459->7460 7461 40490b 7460->7461 7463 404578 wcslen memset 7460->7463 7461->7359 7464 406b3b GetVersionExA 7463->7464 7470 4045c7 7464->7470 7465 404649 wcschr 7467 40465c wcsncmp 7465->7467 7465->7470 7466 406b3b GetVersionExA 7466->7470 7467->7470 7468 404c9d LoadLibraryA GetProcAddress FreeLibrary 7468->7470 7469 404824 memcpy 7469->7470 7470->7465 7470->7466 7470->7467 7470->7468 7470->7469 7471 404ce0 FreeLibrary 7470->7471 7472 40487f 7470->7472 7473 4046f1 memcpy wcschr 7470->7473 7474 4047d8 memcpy LocalFree 7470->7474 7471->7470 7472->7461 7475 404720 wcscpy 7473->7475 7476 404732 LocalFree 7473->7476 7474->7470 7475->7476 7476->7470 7478 4029f8 7477->7478 7478->7131 7479->6857 7480->6866 7481->6866 7483 4029d9 strlen 7482->7483 7484 4024a4 7483->7484 7485 4024b7 ??2@YAPAXI ??2@YAPAXI memcpy 7484->7485 7486 4024ac 7484->7486 7487 4025c8 7485->7487 7486->6874 7486->6875 7488 4025ea ??3@YAXPAX ??3@YAXPAX 7487->7488 7488->7486 7489->6881 7490->6887 7491->6887 7493 411d82 RegQueryValueExA 7492->7493 7494 40275e 7493->7494 7495 40282d RegCloseKey 7494->7495 7496 40276a strtoul 7494->7496 7495->6887 7496->7496 7497 402794 7496->7497 7498 4027ee _mbscpy _mbscpy 7497->7498 7498->7495 7499->6887 7511 411d68 RegOpenKeyExA 7500->7511 7502 413772 7503 40da13 7502->7503 7504 411d82 RegQueryValueExA 7502->7504 7503->6894 7503->6895 7505 41378b 7504->7505 7506 4137bc RegCloseKey 7505->7506 7507 411d82 RegQueryValueExA 7505->7507 7506->7503 7508 4137a6 7507->7508 7508->7506 7512 413a5a 7508->7512 7511->7502 7524 413646 strlen 7512->7524 7514 413a73 7515 413a92 7514->7515 7526 4137ce 7514->7526 7518 4137ba 7515->7518 7555 413b1d memset memset memset 7515->7555 7518->7506 7519 413aab 7519->7518 7520 413acb memset 7519->7520 7521 4137ce 21 API calls 7520->7521 7522 413afc 7521->7522 7522->7518 7523 413b05 _mbscpy 7522->7523 7523->7518 7525 413665 7524->7525 7525->7514 7527 414060 7526->7527 7528 4137db memset 7527->7528 7529 413646 strlen 7528->7529 7530 413809 strlen 7529->7530 7531 413a51 7530->7531 7532 413822 7530->7532 7531->7515 7532->7531 7533 41382a memset memset memset memset 7532->7533 7534 4138a4 7533->7534 7570 40c929 7534->7570 7536 4138b2 7577 40c9c7 7536->7577 7538 4138c1 memcpy 7539 4138dd 7538->7539 7540 40c929 3 API calls 7539->7540 7541 4138ee 7540->7541 7542 40c9c7 5 API calls 7541->7542 7543 4138fa memcpy memcpy 7542->7543 7544 413928 7543->7544 7545 40c929 3 API calls 7544->7545 7546 413939 7545->7546 7547 40c9c7 5 API calls 7546->7547 7549 413945 7547->7549 7548 4139e2 _mbscpy 7550 413a00 7548->7550 7549->7548 7549->7549 7551 40c929 3 API calls 7550->7551 7552 413a0e 7551->7552 7553 40c9c7 5 API calls 7552->7553 7554 413a1a memcpy memcpy 7553->7554 7554->7531 7556 413646 strlen 7555->7556 7557 413b81 strlen 7556->7557 7558 413b99 7557->7558 7569 413c28 7557->7569 7559 413ba1 memcpy memcpy 7558->7559 7558->7569 7560 413bcf 7559->7560 7561 40c929 3 API calls 7560->7561 7562 413be1 7561->7562 7563 40c9c7 5 API calls 7562->7563 7564 413bf0 memcpy 7563->7564 7565 413c0e 7564->7565 7566 40c929 3 API calls 7565->7566 7567 413c1f 7566->7567 7568 40c9c7 5 API calls 7567->7568 7568->7569 7569->7519 7571 40c940 7570->7571 7572 40c960 memcpy 7571->7572 7573 40c967 memcpy 7571->7573 7576 40c97e 7571->7576 7572->7536 7573->7576 7574 40c98d memcpy 7574->7576 7576->7572 7576->7574 7578 40c9e1 memset 7577->7578 7579 40ca07 memset 7577->7579 7584 40ca46 7578->7584 7581 40ca16 7579->7581 7583 40ca2c memcpy memset 7581->7583 7582 40c9f7 memset 7582->7581 7583->7538 7584->7582 7600 411d68 RegOpenKeyExA 7585->7600 7587 40d7b8 7588 40d7c3 memset 7587->7588 7589 40d92b 7587->7589 7598 40d7f1 7588->7598 7589->6901 7589->6902 7591 40d922 RegCloseKey 7591->7589 7593 40d80f RegQueryValueExA 7594 40d8f9 RegCloseKey 7593->7594 7595 40d839 atoi 7593->7595 7594->7598 7595->7594 7595->7598 7596 40d85a memset 7602 40807d memcpy memcpy 7596->7602 7598->7591 7598->7593 7598->7594 7598->7596 7599 40d88b _mbscpy _mbscpy 7598->7599 7601 411d68 RegOpenKeyExA 7598->7601 7613 411dee RegEnumKeyExA 7598->7613 7599->7598 7600->7587 7601->7598 7603 4080b0 7602->7603 7604 40c929 3 API calls 7603->7604 7605 4080bf 7604->7605 7606 40c9c7 5 API calls 7605->7606 7607 4080cb 7606->7607 7607->7607 7608 40810c memset 7607->7608 7611 408194 7607->7611 7610 408138 7608->7610 7609 40815f strlen 7609->7611 7612 40816b _mbscpy _mbscpy 7609->7612 7610->7609 7611->7598 7612->7611 7613->7598 7615 407dc4 7614->7615 7616 411d68 RegOpenKeyExA 7615->7616 7616->6908 7617->6914 7618->6914 7620 407e51 7619->7620 7621 407f77 RegCloseKey 7620->7621 7622 407e65 memset 7620->7622 7621->6914 7623 407e96 7622->7623 7624 404c9d 3 API calls 7623->7624 7627 407ede 7624->7627 7625 407f6f 7626 404ce0 FreeLibrary 7625->7626 7626->7621 7627->7625 7628 407f25 memcpy 7627->7628 7629 406958 2 API calls 7628->7629 7630 407f59 LocalFree 7629->7630 7630->7625 7632->6914 7633->6923 7634->6929 7635->6929 7637 407b01 7636->7637 7638 407bbf RegCloseKey 7636->7638 7639 404c9d 3 API calls 7637->7639 7638->6929 7641 407b12 7639->7641 7640 404ce0 FreeLibrary 7640->7638 7642 407b3e WideCharToMultiByte LocalFree 7641->7642 7648 407baa 7641->7648 7643 411d82 RegQueryValueExA 7642->7643 7644 407b87 7643->7644 7645 411d82 RegQueryValueExA 7644->7645 7646 407b9c 7645->7646 7647 406958 2 API calls 7646->7647 7647->7648 7648->7640 7649->6929 7650->6940 7668 4067ba CreateFileA 7651->7668 7653 410ad6 7654 410ae3 GetFileSize 7653->7654 7655 410b8e 7653->7655 7669 407a56 7654->7669 7655->6941 7657 410b07 7658 407a56 2 API calls 7657->7658 7659 410b1a 7658->7659 7660 406ed6 ReadFile 7659->7660 7661 410b31 7660->7661 7662 410b75 CloseHandle 7661->7662 7665 410b50 WideCharToMultiByte 7661->7665 7691 407a41 7662->7691 7672 4108fa 7665->7672 7666 407a41 ??3@YAXPAX 7666->7655 7668->7653 7670 407a6a ??2@YAPAXI 7669->7670 7671 407a5c ??3@YAXPAX 7669->7671 7670->7657 7671->7670 7673 410907 7672->7673 7674 404c9d 3 API calls 7673->7674 7675 41091d 7674->7675 7676 410925 memset 7675->7676 7677 410ab6 7675->7677 7694 407193 7676->7694 7678 404ce0 FreeLibrary 7677->7678 7680 410abe 7678->7680 7680->7662 7681 410958 7681->7677 7682 41096b memset 7681->7682 7683 407193 memcpy 7681->7683 7685 4109b8 MultiByteToWideChar 7681->7685 7686 4109e0 memset 7681->7686 7688 40720f 2 API calls 7681->7688 7689 410a51 LocalFree 7681->7689 7690 410a2f memcpy 7681->7690 7698 40720f 7682->7698 7683->7681 7685->7681 7687 4029d9 strlen 7686->7687 7687->7681 7688->7681 7689->7681 7690->7689 7692 407a55 7691->7692 7693 407a47 ??3@YAXPAX 7691->7693 7692->7666 7693->7692 7695 4071aa 7694->7695 7697 4071a6 7694->7697 7696 4071d4 memcpy 7695->7696 7695->7697 7696->7697 7697->7681 7699 407221 7698->7699 7702 407228 7698->7702 7699->7681 7700 407236 strchr 7700->7702 7701 407269 memcpy 7701->7702 7702->7699 7702->7700 7702->7701 7703->6946 7704->6952 7705->6952 7707 410eb7 7706->7707 7707->6952 7708->6952 7709->6965 7724 4067ba CreateFileA 7710->7724 7712 405af9 7713 405b02 GetFileSize 7712->7713 7714 405b53 7712->7714 7715 405b12 7713->7715 7716 405b4a CloseHandle 7713->7716 7714->6967 7717 407a56 2 API calls 7715->7717 7716->7714 7718 405b23 7717->7718 7719 406ed6 ReadFile 7718->7719 7720 405b32 7719->7720 7725 405865 memset 7720->7725 7723 407a41 ??3@YAXPAX 7723->7716 7724->7712 7726 407193 memcpy 7725->7726 7734 4058c3 7726->7734 7727 405ae1 7727->7723 7728 406958 2 API calls 7728->7734 7729 405902 strlen 7729->7734 7730 40593d memset memset 7730->7734 7731 4070e4 strlen strlen memcmp 7731->7734 7732 407193 memcpy 7732->7734 7734->7727 7734->7728 7734->7729 7734->7730 7734->7731 7734->7732 7735 406d5a strtoul 7734->7735 7735->7734 7737 40f9b6 7736->7737 7785 40fa34 7737->7785 7740 40e6a8 strrchr 7740->6972 7741 40f9bc 7744 40fa11 7741->7744 7746 40fa26 7741->7746 7798 406d2b 7741->7798 7745 406958 2 API calls 7744->7745 7744->7746 7745->7746 7803 40733e free free 7746->7803 7830 410c4c memset 7747->7830 7750 406521 memset 7752 406958 2 API calls 7750->7752 7751 4066d9 7782 410d6f 7751->7782 7753 40654d 7752->7753 7754 40656e memset memset memset strlen strlen 7753->7754 7779 4066c1 7753->7779 7755 4065d5 7754->7755 7756 4065e4 strlen strlen 7754->7756 7758 406b4b 4 API calls 7755->7758 7760 40661d strlen strlen 7756->7760 7761 40660e 7756->7761 7757 410d6f 2 API calls 7757->7751 7758->7756 7764 406647 7760->7764 7765 406656 7760->7765 7762 406b4b 4 API calls 7761->7762 7762->7760 7766 406b4b 4 API calls 7764->7766 7840 4069d3 GetFileAttributesA 7765->7840 7766->7765 7768 40666d 7769 406681 7768->7769 7770 406672 7768->7770 7860 4069d3 GetFileAttributesA 7769->7860 7841 4062db 7770->7841 7773 40668d 7774 4066a1 7773->7774 7775 406692 7773->7775 7861 4069d3 GetFileAttributesA 7774->7861 7776 4062db 21 API calls 7775->7776 7776->7774 7778 4066ad 7778->7779 7780 4066b2 7778->7780 7779->7757 7781 4062db 21 API calls 7780->7781 7781->7779 7783 410d74 SetCurrentDirectoryA FreeLibrary 7782->7783 7784 40e71c 7782->7784 7783->7784 7784->6977 7786 40fa48 7785->7786 7804 40fc4f memset memset 7786->7804 7788 40fb5b 7817 40733e free free 7788->7817 7790 40fa66 memset 7792 40fa4e 7790->7792 7791 40fb63 7791->7741 7792->7788 7792->7790 7793 40fa8a strlen strlen 7792->7793 7794 406b4b strlen _mbscat _mbscpy _mbscat 7792->7794 7795 4069d3 GetFileAttributesA 7792->7795 7796 40faec strlen strlen 7792->7796 7797 407364 7 API calls 7792->7797 7793->7792 7794->7792 7795->7792 7796->7792 7797->7792 7829 4067ba CreateFileA 7798->7829 7800 406d38 7801 406d55 CompareFileTime 7800->7801 7802 406d3f GetFileTime CloseHandle 7800->7802 7801->7741 7802->7801 7803->7740 7805 41223f 10 API calls 7804->7805 7806 40fc9e 7805->7806 7807 40680e 2 API calls 7806->7807 7808 40fca5 _mbscat 7807->7808 7809 41223f 10 API calls 7808->7809 7810 40fcc6 7809->7810 7811 40680e 2 API calls 7810->7811 7812 40fccd _mbscat 7811->7812 7818 40fb6a 7812->7818 7815 40fb6a 22 API calls 7816 40fcfa 7815->7816 7816->7792 7817->7791 7819 40783b 9 API calls 7818->7819 7827 40fb9e 7819->7827 7820 40fc3e 7822 407930 FindClose 7820->7822 7821 407800 strcmp strcmp 7821->7827 7823 40fc49 7822->7823 7823->7815 7824 40783b 9 API calls 7824->7827 7825 407898 9 API calls 7825->7827 7826 407930 FindClose 7826->7827 7827->7820 7827->7821 7827->7824 7827->7825 7827->7826 7828 407364 7 API calls 7827->7828 7828->7827 7829->7800 7862 405ec5 memset memset 7830->7862 7833 406519 7833->7750 7833->7751 7834 410c8d GetCurrentDirectoryA SetCurrentDirectoryA memset strlen strlen 7835 410cf3 LoadLibraryExA 7834->7835 7836 410cdc 7834->7836 7835->7833 7839 410d17 6 API calls 7835->7839 7837 406b4b 4 API calls 7836->7837 7837->7835 7839->7833 7840->7768 7842 4062e8 7841->7842 7894 4067ba CreateFileA 7842->7894 7844 4062f3 7845 406302 GetFileSize 7844->7845 7846 4064f4 7844->7846 7847 406316 ??2@YAPAXI 7845->7847 7848 4064eb CloseHandle 7845->7848 7846->7769 7849 406ed6 ReadFile 7847->7849 7848->7846 7850 40632c memset memset memset 7849->7850 7895 4060c4 7850->7895 7852 4064e2 ??3@YAXPAX 7852->7848 7853 4063ad strcmp 7855 406395 7853->7855 7854 4060c4 memcpy 7854->7855 7855->7852 7855->7853 7855->7854 7856 40644e _mbscpy 7855->7856 7857 40645d _mbscpy 7855->7857 7859 4064a7 strcmp 7855->7859 7856->7855 7899 40623f 7857->7899 7859->7855 7860->7773 7861->7778 7884 411d68 RegOpenKeyExA 7862->7884 7864 405f1c 7865 406072 _mbscpy 7864->7865 7866 405f27 memset 7864->7866 7868 406085 ExpandEnvironmentStringsA 7865->7868 7869 4060b0 7865->7869 7891 411dee RegEnumKeyExA 7866->7891 7885 405e4a memset strlen strlen 7868->7885 7869->7833 7869->7834 7870 405f52 7873 406069 RegCloseKey 7870->7873 7874 405f5a _mbsnbicmp 7870->7874 7881 405e4a 8 API calls 7870->7881 7882 406004 _mbsicmp 7870->7882 7892 411dee RegEnumKeyExA 7870->7892 7873->7865 7874->7870 7876 405f78 memset memset _snprintf 7874->7876 7875 4060a2 GetCurrentDirectoryA 7877 405e4a 8 API calls 7875->7877 7879 411dae 3 API calls 7876->7879 7877->7869 7880 405fd9 _mbsrchr 7879->7880 7880->7870 7881->7870 7882->7870 7883 40601d _mbscpy _mbscpy 7882->7883 7883->7870 7884->7864 7886 405e91 7885->7886 7887 405ea0 7885->7887 7888 406b4b 4 API calls 7886->7888 7893 4069d3 GetFileAttributesA 7887->7893 7888->7887 7890 405eb7 7890->7869 7890->7875 7891->7870 7892->7870 7893->7890 7894->7844 7896 4060db 7895->7896 7898 4060d7 7895->7898 7897 406106 memcpy 7896->7897 7896->7898 7897->7898 7898->7855 7900 40624c 7899->7900 7901 406259 _mbscpy 7900->7901 7907 406143 7901->7907 7904 406143 3 API calls 7905 406290 _mbscpy _mbscpy _mbscpy 7904->7905 7906 4062d6 7905->7906 7906->7855 7908 406163 7907->7908 7909 406174 7907->7909 7910 406180 memset 7908->7910 7911 40616c 7908->7911 7909->7904 7913 4029d9 strlen 7910->7913 7912 4029d9 strlen 7911->7912 7912->7909 7914 4061a7 7913->7914 7914->7909 7915 406214 memcpy 7914->7915 7915->7909 7917 4085c6 7916->7917 7945 40733e free free 7917->7945 7919 408602 7946 40821a 7919->7946 7922 4085d3 7922->7919 7983 407407 7922->7983 7925 4086db 7933 40733e free free 7925->7933 7926 4086d3 7927 404d18 7 API calls 7926->7927 7927->7925 7928 408649 MultiByteToWideChar _wcslwr 7969 408490 7928->7969 7931 408610 7931->7925 7931->7926 7931->7928 7932 408490 17 API calls 7931->7932 7932->7931 7933->6984 7935 4081b7 7934->7935 7936 4081ac FreeLibrary 7934->7936 7937 407491 free 7935->7937 7936->7935 7938 4081c0 7937->7938 8012 40733e free free 7938->8012 7940 4081c8 8013 40733e free free 7940->8013 7942 4081d0 8014 40733e free free 7942->8014 7944 4081d8 7945->7922 7988 40733e free free 7946->7988 7948 408233 7989 411d68 RegOpenKeyExA 7948->7989 7950 408246 7951 408251 7950->7951 7952 408356 7950->7952 7953 40746b 4 API calls 7951->7953 7966 404d18 7952->7966 7954 408269 memset 7953->7954 7990 4074aa 7954->7990 7957 40834c RegCloseKey 7957->7952 7958 4082bd 7959 4082c6 _strupr 7958->7959 7960 407364 7 API calls 7959->7960 7961 4082e4 7960->7961 7962 407364 7 API calls 7961->7962 7963 4082f8 memset 7962->7963 7964 4074aa 7963->7964 7965 408327 RegEnumValueA 7964->7965 7965->7957 7965->7959 7967 404d79 7966->7967 7968 404d1d 7 API calls 7966->7968 7967->7931 7968->7967 7970 404d18 7 API calls 7969->7970 7971 4084a6 7970->7971 7972 4085a8 wcslen 7971->7972 7973 4084cb wcslen 7971->7973 7972->7931 7974 404d18 7 API calls 7973->7974 7976 4084e4 7974->7976 7975 40859e 7978 404d18 7 API calls 7975->7978 7976->7975 7977 404d18 7 API calls 7976->7977 7979 40851d 7977->7979 7978->7972 7979->7975 7980 40853a memset 7979->7980 7981 408560 7980->7981 7992 4083d0 7981->7992 7984 407428 strcmp 7983->7984 7985 407413 7984->7985 7986 407424 7985->7986 7987 407364 7 API calls 7985->7987 7986->7922 7987->7986 7988->7948 7989->7950 7991 4074b0 RegEnumValueA 7990->7991 7991->7957 7991->7958 8003 407428 7992->8003 7994 40848a 7994->7975 7995 4083e3 7995->7994 7996 40841f wcslen 7995->7996 7997 404c9d 3 API calls 7996->7997 8000 408447 7997->8000 7998 408482 7999 404ce0 FreeLibrary 7998->7999 7999->7994 8000->7998 8001 408479 LocalFree 8000->8001 8007 40835f 8000->8007 8001->7998 8004 40742e 8003->8004 8005 407437 strcmp 8004->8005 8006 40744a 8004->8006 8005->8004 8005->8006 8006->7995 8008 408377 8007->8008 8009 4083c9 8007->8009 8008->8009 8010 408382 wcslen 8008->8010 8009->8001 8010->8009 8011 40839b wcslen 8010->8011 8011->8008 8012->7940 8013->7942 8014->7944 8016 40e506 8015->8016 8017 40e515 8015->8017 8018 406b4b 4 API calls 8016->8018 8023 4069d3 GetFileAttributesA 8017->8023 8018->8017 8020 40e52c 8021 40e540 8020->8021 8024 40e293 8020->8024 8021->6989 8021->6991 8023->8020 8039 4067ba CreateFileA 8024->8039 8026 40e2a7 8027 40e2b4 GetFileSize 8026->8027 8028 40e4ac 8026->8028 8029 40e4a3 CloseHandle 8027->8029 8030 40e2cc ??2@YAPAXI memset ReadFile 8027->8030 8028->8021 8029->8028 8037 40e314 8030->8037 8031 407193 memcpy 8031->8037 8032 40e49c ??3@YAXPAX 8032->8029 8033 407139 strlen strlen _memicmp 8033->8037 8034 40e39b memcpy memcpy 8035 407139 3 API calls 8034->8035 8035->8037 8036 406958 2 API calls 8036->8037 8037->8031 8037->8032 8037->8033 8037->8034 8037->8036 8038 4029d9 strlen 8037->8038 8038->8037 8039->8026 8041 414060 8040->8041 8042 40dd72 memset strlen strlen 8041->8042 8043 40ddbe 8042->8043 8044 40ddad 8042->8044 8054 4069d3 GetFileAttributesA 8043->8054 8045 406b4b 4 API calls 8044->8045 8045->8043 8047 40ddd4 8048 40dddd 7 API calls 8047->8048 8049 40dfcf 8047->8049 8048->8049 8052 40dea4 8048->8052 8049->6999 8051 406958 strlen memcpy 8051->8052 8052->8049 8052->8051 8053 40df4c sprintf GetPrivateProfileStringA GetPrivateProfileStringA 8052->8053 8055 40dcf2 8052->8055 8053->8049 8053->8052 8054->8047 8056 40dd0d 8055->8056 8057 40dd54 8056->8057 8058 40dd1f strtoul 8056->8058 8057->8052 8058->8056 8058->8057 8059->7030 8119 406d91 memset 8060->8119 8062 412d78 ??2@YAPAXI 8063 412d87 8062->8063 8064 412d90 ??2@YAPAXI 8063->8064 8065 412da2 8064->8065 8066 412dab ??2@YAPAXI 8065->8066 8067 412dc2 ??2@YAPAXI 8066->8067 8069 412de6 ??2@YAPAXI 8067->8069 8071 40ebd8 8069->8071 8072 412f02 8071->8072 8120 4067ba CreateFileA 8072->8120 8074 412f0f 8075 412f44 8074->8075 8076 412f17 GetFileSize 8074->8076 8075->7034 8121 412ed6 8076->8121 8078 412f28 8079 406ed6 ReadFile 8078->8079 8080 412f34 CloseHandle 8079->8080 8080->8075 8124 4075ad MultiByteToWideChar 8081->8124 8083 412fa1 8085 407491 free 8083->8085 8087 40ec08 8085->8087 8086 412ed6 2 API calls 8088 412f85 memcpy 8086->8088 8090 40d1a5 8087->8090 8088->8083 8091 413095 8090->8091 8139 40733e free free 8091->8139 8093 4130c7 8140 40733e free free 8093->8140 8095 4133aa 8095->7035 8096 40746b 4 API calls 8099 4130d2 8096->8099 8097 412fb0 19 API calls 8097->8099 8098 41322b memcpy 8098->8099 8099->8095 8099->8096 8099->8097 8099->8098 8141 412768 8099->8141 8102 412e65 8101->8102 8103 412e5a ??3@YAXPAX 8101->8103 8104 412e7c 8102->8104 8105 407491 free 8102->8105 8103->8102 8106 412e92 8104->8106 8108 407491 free 8104->8108 8107 412e75 ??3@YAXPAX 8105->8107 8109 412ea8 8106->8109 8111 407491 free 8106->8111 8107->8104 8110 412e8b ??3@YAXPAX 8108->8110 8112 412ebe 8109->8112 8150 40733e free free 8109->8150 8110->8106 8113 412ea1 ??3@YAXPAX 8111->8113 8115 412ed4 8112->8115 8151 40733e free free 8112->8151 8113->8109 8115->7024 8117 412eb7 ??3@YAXPAX 8117->8112 8118 412ecd ??3@YAXPAX 8118->8115 8119->8062 8120->8074 8122 412ee0 ??3@YAXPAX 8121->8122 8123 412eeb ??2@YAPAXI 8121->8123 8122->8123 8123->8078 8125 407634 8124->8125 8126 4075d7 8124->8126 8125->8083 8125->8086 8127 40746b 4 API calls 8126->8127 8128 4075f5 MultiByteToWideChar 8127->8128 8131 407614 8128->8131 8133 40762a 8128->8133 8130 407491 free 8130->8125 8134 407564 WideCharToMultiByte 8131->8134 8133->8130 8135 4075a4 8134->8135 8136 407586 8134->8136 8135->8133 8137 40746b 4 API calls 8136->8137 8138 407590 WideCharToMultiByte 8137->8138 8138->8135 8139->8093 8140->8099 8142 412d44 8141->8142 8148 412b5d 8141->8148 8142->8099 8143 412b83 strlen strncmp 8143->8148 8144 412cc0 strlen strncmp 8144->8148 8145 412c93 memcpy 8149 406d5a strtoul 8145->8149 8146 412c0b memcpy atoi WideCharToMultiByte 8146->8148 8148->8142 8148->8143 8148->8144 8148->8145 8148->8146 8149->8148 8150->8117 8151->8118 8152->7047 8153->7067 8164 40f94e 8154->8164 8157 40f946 8157->7067 8158 40f8c8 memcmp 8158->8157 8159 40f8df 8158->8159 8159->8157 8160 40f94e 3 API calls 8159->8160 8163 40f8f5 8160->8163 8161 40f94e 3 API calls 8161->8163 8163->8157 8163->8161 8169 40f689 8163->8169 8165 40f960 SetFilePointer 8164->8165 8166 40f96e memset 8164->8166 8165->8166 8167 406ed6 ReadFile 8166->8167 8168 40f8c4 8167->8168 8168->8157 8168->8158 8171 40f696 8169->8171 8170 40f806 8170->8163 8171->8170 8172 40f94e 3 API calls 8171->8172 8173 40f6ca 8172->8173 8173->8170 8174 40f94e 3 API calls 8173->8174 8175 40f6e7 8174->8175 8176 40f94e 3 API calls 8175->8176 8179 40f779 8175->8179 8178 40f710 _strcmpi 8176->8178 8178->8179 8180 40f734 _strcmpi 8178->8180 8179->8170 8181 40f789 _strcmpi 8179->8181 8199 40f5c1 8179->8199 8180->8179 8182 40f74b _strcmpi 8180->8182 8184 40f80b 8181->8184 8185 40f79d _strcmpi 8181->8185 8182->8179 8183 40f762 _strcmpi 8182->8183 8183->8179 8186 40f5c1 2 API calls 8184->8186 8185->8184 8187 40f7b1 _strcmpi 8185->8187 8189 40f822 8186->8189 8187->8184 8188 40f7c5 _strcmpi 8187->8188 8188->8184 8190 40f7d9 _strcmpi 8188->8190 8189->8170 8191 40f826 _mbscpy 8189->8191 8190->8179 8190->8184 8193 40f84e 8191->8193 8192 40f5c1 2 API calls 8192->8193 8193->8170 8193->8192 8194 40f83a _strcmpi 8193->8194 8194->8193 8195 40f869 8194->8195 8196 40f5c1 2 API calls 8195->8196 8197 40f87f 8196->8197 8197->8170 8198 40f883 _mbscpy 8197->8198 8198->8170 8200 40f649 8199->8200 8201 40f5d8 8199->8201 8200->8179 8201->8200 8202 40f61e memcpy 8201->8202 8202->8200 8203 40f65a 8202->8203 8203->8200 8204 40f666 _ultoa 8203->8204 8204->8200 8205 41208b FindResourceA 8206 4120a4 SizeofResource 8205->8206 8209 4120ce 8205->8209 8207 4120b5 LoadResource 8206->8207 8206->8209 8208 4120c3 LockResource 8207->8208 8207->8209 8208->8209 6123 412111 EnumResourceNamesA 6165 413e10 6184 414000 6165->6184 6167 413e1c GetModuleHandleA 6168 413e2e __set_app_type __p__fmode __p__commode 6167->6168 6170 413ec0 6168->6170 6171 413ed4 6170->6171 6172 413ec8 __setusermatherr 6170->6172 6185 413fe8 _controlfp 6171->6185 6172->6171 6174 413ed9 _initterm __getmainargs _initterm 6175 413f30 GetStartupInfoA 6174->6175 6177 413f64 GetModuleHandleA 6175->6177 6186 40c66a 6177->6186 6181 413f95 _cexit 6183 413fca 6181->6183 6182 413f8e exit 6182->6181 6184->6167 6185->6174 6239 404d7a LoadLibraryA 6186->6239 6188 40c682 6189 40c686 6188->6189 6247 412192 6188->6247 6189->6181 6189->6182 6194 40c6a4 FreeLibrary 6195 40c6ad EnumResourceTypesA 6194->6195 6196 40c6f0 6195->6196 6197 40c6d8 MessageBoxA 6195->6197 6268 40c427 ??2@YAPAXI 6196->6268 6197->6189 6204 40c73a 6301 409167 memset 6204->6301 6205 40c74e 6306 40902b memset 6205->6306 6210 40c8b3 ??3@YAXPAX 6213 40c8d7 6210->6213 6214 40c8cb DeleteObject 6210->6214 6211 4077af 2 API calls 6212 40c762 6211->6212 6215 40c766 RegDeleteKeyA 6212->6215 6216 40c77b 6212->6216 6327 40733e free free 6213->6327 6214->6213 6215->6210 6216->6210 6220 40c7d5 CoInitialize 6216->6220 6311 40c5a4 6216->6311 6218 40c8e9 6328 407a7a 6218->6328 6326 40c3af RegisterClassA CreateWindowExA 6220->6326 6224 40c7e7 ShowWindow UpdateWindow LoadAcceleratorsA PostMessageA GetMessageA 6232 40c848 6224->6232 6233 40c8ad CoUninitialize 6224->6233 6228 40c7d3 6228->6220 6229 40c7a4 ??3@YAXPAX 6229->6213 6231 40c7c1 DeleteObject 6229->6231 6231->6213 6234 40c84e TranslateAccelerator 6232->6234 6236 40c871 IsDialogMessage 6232->6236 6237 40c87c IsDialogMessage 6232->6237 6233->6210 6234->6232 6235 40c8a0 GetMessageA 6234->6235 6235->6233 6235->6234 6236->6235 6236->6237 6237->6235 6238 40c88c TranslateMessage DispatchMessageA 6237->6238 6238->6235 6240 404da5 GetProcAddress 6239->6240 6241 404dcd 6239->6241 6242 404db5 6240->6242 6243 404dbe FreeLibrary 6240->6243 6245 404df4 6241->6245 6246 404ddd MessageBoxA 6241->6246 6242->6243 6243->6241 6244 404dc9 6243->6244 6244->6241 6245->6188 6246->6188 6248 40c692 6247->6248 6249 41219b LoadLibraryA 6247->6249 6251 410de1 GetCurrentProcess 6248->6251 6249->6248 6250 4121af GetProcAddress 6249->6250 6250->6248 6332 410daa 6251->6332 6254 410e02 GetLastError 6256 40c69f 6254->6256 6255 410e0a 6338 410d8a 6255->6338 6256->6194 6256->6195 6258 410e11 6259 410e36 6258->6259 6260 410e1d GetProcAddress 6258->6260 6262 410d8a LoadLibraryA 6259->6262 6260->6259 6261 410e2a LookupPrivilegeValueA 6260->6261 6261->6259 6263 410e4f 6262->6263 6264 410e53 GetProcAddress 6263->6264 6265 410e6d CloseHandle 6263->6265 6264->6265 6266 410e60 AdjustTokenPrivileges 6264->6266 6265->6256 6266->6265 6269 40c453 6268->6269 6270 40c461 ??2@YAPAXI 6269->6270 6271 40c478 6270->6271 6273 40c47d 6270->6273 6349 4092cc 6271->6349 6274 40c4b2 DeleteObject 6273->6274 6275 40c4bf 6273->6275 6274->6275 6341 406ae0 6275->6341 6277 40c4c4 6344 401000 6277->6344 6281 40c508 6282 40763d 6281->6282 6361 40733e free free 6282->6361 6286 40746b malloc memcpy free free 6292 407678 6286->6292 6287 407758 6295 407783 6287->6295 6385 40746b 6287->6385 6289 4076fc free 6289->6292 6292->6286 6292->6287 6292->6289 6292->6295 6365 407364 6292->6365 6377 406982 6292->6377 6294 407364 7 API calls 6294->6295 6362 407491 6295->6362 6296 4077af 6297 4077b7 6296->6297 6298 4077f5 6296->6298 6297->6298 6299 4077c7 _strcmpi 6297->6299 6300 4077de _strnicmp 6297->6300 6298->6204 6298->6205 6299->6297 6300->6297 6390 409141 6301->6390 6303 409196 6395 409068 6303->6395 6307 409141 3 API calls 6306->6307 6308 40905a 6307->6308 6419 408fbc 6308->6419 6425 403cb2 6311->6425 6315 40c5f1 6319 40c665 6315->6319 6428 40bbf0 memset GetModuleFileNameA strrchr 6315->6428 6316 40c5f6 6471 40c50e _strcmpi 6316->6471 6319->6228 6319->6229 6322 40c610 6450 40a8f2 6322->6450 6326->6224 6327->6218 6329 407a80 free 6328->6329 6330 407a87 6328->6330 6329->6330 6331 40733e free free 6330->6331 6331->6189 6333 410d8a LoadLibraryA 6332->6333 6334 410db5 6333->6334 6335 410db9 GetProcAddress 6334->6335 6336 410dda 6334->6336 6335->6336 6337 410dca 6335->6337 6336->6254 6336->6255 6337->6336 6339 410da6 6338->6339 6340 410d8f LoadLibraryA 6338->6340 6339->6258 6340->6258 6359 406a19 memset _mbscpy 6341->6359 6343 406af7 CreateFontIndirectA 6343->6277 6345 40102c 6344->6345 6346 401030 LoadIconA 6345->6346 6347 40100d strncat 6345->6347 6348 402c8f _mbscpy 6346->6348 6347->6345 6348->6281 6360 406d91 memset 6349->6360 6351 4092df ??2@YAPAXI 6352 4092f3 ??2@YAPAXI 6351->6352 6354 409314 ??2@YAPAXI 6352->6354 6356 409335 ??2@YAPAXI 6354->6356 6358 409356 6356->6358 6358->6273 6359->6343 6360->6351 6361->6292 6363 4074a1 6362->6363 6364 407497 free 6362->6364 6363->6296 6364->6363 6366 407372 strlen 6365->6366 6367 40737e 6365->6367 6366->6367 6368 407396 free 6367->6368 6369 40739f 6367->6369 6370 4073a9 6368->6370 6371 406982 3 API calls 6369->6371 6372 4073c2 6370->6372 6373 4073b9 free 6370->6373 6371->6370 6375 406982 3 API calls 6372->6375 6374 4073ce memcpy 6373->6374 6374->6292 6376 4073cd 6375->6376 6376->6374 6378 406989 malloc 6377->6378 6379 4069cf 6377->6379 6381 4069c5 6378->6381 6382 4069aa 6378->6382 6379->6292 6381->6292 6383 4069be free 6382->6383 6384 4069ae memcpy 6382->6384 6383->6381 6384->6383 6386 407482 6385->6386 6387 407476 free 6385->6387 6389 406982 3 API calls 6386->6389 6388 40748d 6387->6388 6388->6294 6389->6388 6408 4069e8 GetModuleFileNameA 6390->6408 6392 409147 strrchr 6393 409156 6392->6393 6394 409159 _mbscat 6392->6394 6393->6394 6394->6303 6409 414060 6395->6409 6400 408ca1 3 API calls 6401 4090b0 6400->6401 6402 408ca1 3 API calls 6401->6402 6403 4090bb EnumResourceNamesA EnumResourceNamesA _mbscpy memset 6402->6403 6404 409107 LoadStringA 6403->6404 6405 40911d 6404->6405 6405->6404 6407 409135 6405->6407 6416 408d0f _itoa 6405->6416 6407->6210 6408->6392 6410 409075 _mbscpy _mbscpy 6409->6410 6411 408ca1 6410->6411 6412 414060 6411->6412 6413 408cae memset GetPrivateProfileStringA 6412->6413 6414 408cf9 WritePrivateProfileStringA 6413->6414 6415 408d09 6413->6415 6414->6415 6415->6400 6417 408ca1 3 API calls 6416->6417 6418 408d41 6417->6418 6418->6405 6424 4069d3 GetFileAttributesA 6419->6424 6421 408fc5 6422 40902a 6421->6422 6423 408fca _mbscpy _mbscpy GetPrivateProfileIntA GetPrivateProfileStringA 6421->6423 6422->6211 6423->6422 6424->6421 6489 40955a 6425->6489 6429 40bc40 6428->6429 6430 40bc43 _mbscat _mbscpy _mbscpy 6428->6430 6429->6430 6528 4039a8 6430->6528 6433 40bcd4 6435 40bcf9 6433->6435 6543 402d81 6433->6543 6434 40bcc4 GetWindowPlacement 6434->6433 6536 40946f 6435->6536 6439 40b2f5 6440 40b370 6439->6440 6444 40b325 6439->6444 6701 40671b LoadCursorA SetCursor 6440->6701 6442 40b375 6445 4077af 2 API calls 6442->6445 6443 40b32c _mbsicmp 6443->6444 6444->6440 6444->6443 6702 40ae7d 6444->6702 6446 40b39b 6445->6446 6447 40b3e5 SetCursor 6446->6447 6449 40b3dc qsort 6446->6449 6447->6322 6449->6447 6451 40a906 6450->6451 6452 40972b 3 API calls 6450->6452 6453 40a917 GetStdHandle 6451->6453 6454 40a90e 6451->6454 6452->6451 6455 40a914 6453->6455 6719 4067d3 CreateFileA 6454->6719 6457 40aa25 6455->6457 6458 40a92d 6455->6458 6460 406830 9 API calls 6457->6460 6720 40671b LoadCursorA SetCursor 6458->6720 6461 40aa2e 6460->6461 6484 40bdcf 6461->6484 6462 40a93a 6463 40a97f 6462->6463 6469 40a999 6462->6469 6721 409f97 6462->6721 6463->6469 6727 409e6e 6463->6727 6466 40a9ce 6467 40aa17 SetCursor 6466->6467 6468 40aa0e CloseHandle 6466->6468 6467->6461 6468->6467 6469->6466 6737 406830 6469->6737 6472 40c523 _strcmpi 6471->6472 6473 40c51f 6471->6473 6474 40c534 6472->6474 6475 40c538 _strcmpi 6472->6475 6473->6315 6474->6315 6476 40c549 6475->6476 6477 40c54d _strcmpi 6475->6477 6476->6315 6478 40c562 _strcmpi 6477->6478 6479 40c55e 6477->6479 6480 40c573 6478->6480 6481 40c577 _strcmpi 6478->6481 6479->6315 6480->6315 6482 40c588 6481->6482 6483 40c58c _mbsicmp 6481->6483 6482->6315 6483->6315 6485 40bdf6 6484->6485 6486 40bdda 6484->6486 6485->6319 6753 4093d6 6486->6753 6488 40bdef ??3@YAXPAX 6488->6485 6501 409370 6489->6501 6492 4095be memcpy memcpy 6493 409618 6492->6493 6493->6492 6494 409656 ??2@YAPAXI ??2@YAPAXI 6493->6494 6496 40876f 12 API calls 6493->6496 6495 409692 ??2@YAPAXI 6494->6495 6498 4096c9 6494->6498 6495->6498 6496->6493 6498->6498 6511 4094da 6498->6511 6500 403cc1 _strcmpi 6500->6315 6500->6316 6502 409382 6501->6502 6503 40937b ??3@YAXPAX 6501->6503 6504 409390 6502->6504 6505 409389 ??3@YAXPAX 6502->6505 6503->6502 6506 4093a1 6504->6506 6507 40939a ??3@YAXPAX 6504->6507 6505->6504 6508 4093c1 ??2@YAPAXI ??2@YAPAXI 6506->6508 6509 4093b1 ??3@YAXPAX 6506->6509 6510 4093ba ??3@YAXPAX 6506->6510 6507->6506 6508->6492 6509->6510 6510->6508 6512 407491 free 6511->6512 6513 4094e3 6512->6513 6514 407491 free 6513->6514 6515 4094eb 6514->6515 6516 407491 free 6515->6516 6517 4094f3 6516->6517 6518 407491 free 6517->6518 6519 4094fb 6518->6519 6520 40746b 4 API calls 6519->6520 6521 40950e 6520->6521 6522 40746b 4 API calls 6521->6522 6523 409518 6522->6523 6524 40746b 4 API calls 6523->6524 6525 409522 6524->6525 6526 40746b 4 API calls 6525->6526 6527 40952c 6526->6527 6527->6500 6529 4039c8 6528->6529 6550 40d725 6529->6550 6531 403a14 memset sprintf 6532 403a49 6531->6532 6532->6531 6533 403a60 _strcmpi 6532->6533 6534 403ab1 6532->6534 6565 411ec1 6532->6565 6533->6532 6534->6433 6534->6434 6537 40947e 6536->6537 6539 40948c 6536->6539 6692 40923a 6537->6692 6540 4094d7 6539->6540 6541 4094c9 6539->6541 6540->6439 6697 4091aa 6541->6697 6544 402e0a 6543->6544 6545 402d90 6543->6545 6544->6435 6545->6544 6546 402dc4 GetSystemMetrics 6545->6546 6546->6544 6547 402dd8 GetSystemMetrics 6546->6547 6547->6544 6548 402de6 6547->6548 6548->6544 6549 402def SetWindowPos 6548->6549 6549->6544 6569 40d3a0 memset 6550->6569 6564 40d772 6564->6531 6566 411ee3 GetPrivateProfileStringA 6565->6566 6567 411ed4 WritePrivateProfileStringA 6565->6567 6568 411ef6 6566->6568 6567->6568 6568->6532 6570 411dae 3 API calls 6569->6570 6571 40d3e8 6570->6571 6572 40d422 6571->6572 6660 407139 strlen strlen 6571->6660 6574 40d46b memset 6572->6574 6635 41212c 6572->6635 6643 41223f 6574->6643 6581 40d4ce 6659 4069d3 GetFileAttributesA 6581->6659 6582 40d4bb 6673 406b4b _mbscpy 6582->6673 6584 40d412 6584->6572 6587 40d417 _mbscpy 6584->6587 6587->6572 6590 40d4db 6595 40d4e9 memset 6590->6595 6591 40d450 6672 4069d3 GetFileAttributesA 6591->6672 6593 40d458 6593->6574 6594 40d45e _mbscpy 6593->6594 6594->6574 6596 41223f 10 API calls 6595->6596 6597 40d529 strlen strlen 6596->6597 6598 40d55f 6597->6598 6599 40d54c 6597->6599 6687 4069d3 GetFileAttributesA 6598->6687 6600 406b4b 4 API calls 6599->6600 6600->6598 6602 40d56c 6603 40d607 memset 6602->6603 6604 41223f 10 API calls 6603->6604 6605 40d647 strlen strlen 6604->6605 6606 40d66a 6605->6606 6607 40d67d 6605->6607 6608 406b4b 4 API calls 6606->6608 6688 4069d3 GetFileAttributesA 6607->6688 6608->6607 6610 40d68a 6611 40d578 memset 6610->6611 6612 41223f 10 API calls 6611->6612 6613 40d5b8 strlen strlen 6612->6613 6614 40d5ee 6613->6614 6615 40d5db 6613->6615 6689 4069d3 GetFileAttributesA 6614->6689 6616 406b4b 4 API calls 6615->6616 6616->6614 6618 40d5fb 6619 40d696 memset 6618->6619 6620 41223f 10 API calls 6619->6620 6621 40d6d6 strlen strlen 6620->6621 6622 40d70c 6621->6622 6623 40d6f9 6621->6623 6690 4069d3 GetFileAttributesA 6622->6690 6624 406b4b 4 API calls 6623->6624 6624->6622 6626 40d719 6627 411dae 6626->6627 6691 411d68 RegOpenKeyExA 6627->6691 6629 411dc4 6630 40d76c 6629->6630 6631 411d82 RegQueryValueExA 6629->6631 6634 4069d3 GetFileAttributesA 6630->6634 6632 411dd9 RegCloseKey 6631->6632 6632->6630 6634->6564 6676 411d68 RegOpenKeyExA 6635->6676 6637 412149 6638 41216d 6637->6638 6677 411d82 RegQueryValueExA 6637->6677 6640 412172 GetWindowsDirectoryA _mbscat 6638->6640 6641 40d439 6638->6641 6640->6641 6665 40680e strlen 6641->6665 6644 412192 2 API calls 6643->6644 6645 412251 6644->6645 6646 412284 memset 6645->6646 6679 406b06 6645->6679 6647 4122a4 6646->6647 6682 411d68 RegOpenKeyExA 6647->6682 6651 412275 SHGetSpecialFolderPathA 6652 40d48f strlen strlen 6651->6652 6652->6581 6652->6582 6653 4122d1 6654 412304 _mbscpy 6653->6654 6683 4121c1 6653->6683 6654->6652 6656 4122e2 6657 411d82 RegQueryValueExA 6656->6657 6658 4122f9 RegCloseKey 6657->6658 6658->6654 6659->6590 6662 407165 6660->6662 6663 407186 6660->6663 6661 407169 _memicmp 6661->6662 6661->6663 6662->6661 6662->6663 6663->6572 6664 4069d3 GetFileAttributesA 6663->6664 6664->6584 6666 406819 6665->6666 6667 40682d 6665->6667 6666->6667 6668 406820 _mbscat 6666->6668 6669 406958 strlen 6667->6669 6668->6667 6670 406969 6669->6670 6671 40696c memcpy 6669->6671 6670->6671 6671->6591 6672->6593 6674 40680e 2 API calls 6673->6674 6675 406b5d _mbscat 6674->6675 6675->6581 6676->6637 6678 411da5 RegCloseKey 6677->6678 6678->6638 6680 406b15 GetVersionExA 6679->6680 6681 406b26 6679->6681 6680->6681 6681->6646 6681->6651 6682->6653 6684 4121c6 6683->6684 6685 412233 _mbscpy 6684->6685 6686 412216 6684->6686 6685->6656 6686->6656 6687->6602 6688->6610 6689->6618 6690->6626 6691->6629 6693 409248 memset 6692->6693 6696 4092a0 6692->6696 6695 40925f 6693->6695 6693->6696 6694 409260 SendMessageA 6694->6695 6695->6694 6695->6696 6696->6539 6698 409234 6697->6698 6699 4091b8 6697->6699 6698->6540 6699->6698 6700 4091fd SendMessageA 6699->6700 6700->6699 6701->6442 6712 40972b ??2@YAPAXI 6702->6712 6704 40ae8b 6705 40aea2 strlen 6704->6705 6709 40aee2 6704->6709 6708 40aeae atoi 6705->6708 6705->6709 6706 40aef6 _mbsicmp _mbsicmp 6706->6709 6707 40aebf 6707->6444 6708->6707 6709->6706 6711 40af50 6709->6711 6710 407139 strlen strlen _memicmp 6710->6711 6711->6707 6711->6710 6713 4097d5 ??3@YAXPAX 6712->6713 6716 409762 6712->6716 6713->6704 6716->6713 6717 40501f SendMessageA 6716->6717 6718 40504d 6717->6718 6718->6716 6719->6455 6720->6462 6722 409fe3 6721->6722 6725 409f9f 6721->6725 6742 4067ec strlen WriteFile 6722->6742 6724 409ff1 6724->6463 6725->6722 6726 4067ec strlen WriteFile 6725->6726 6726->6725 6733 409f82 6727->6733 6735 409e83 6727->6735 6729 409f90 6729->6469 6730 409ead strchr 6731 409ebb strchr 6730->6731 6730->6735 6731->6735 6732 4074fa 7 API calls 6732->6735 6743 4067ec strlen WriteFile 6733->6743 6734 4067ec strlen WriteFile 6734->6735 6735->6730 6735->6732 6735->6733 6735->6734 6736 407491 free 6735->6736 6736->6735 6738 406840 GetLastError 6737->6738 6739 406848 6737->6739 6738->6739 6744 406735 6739->6744 6742->6724 6743->6729 6745 406752 LoadLibraryExA 6744->6745 6746 406769 FormatMessageA 6744->6746 6745->6746 6747 406764 6745->6747 6748 406782 strlen 6746->6748 6749 4067a7 _mbscpy 6746->6749 6747->6746 6751 40679c LocalFree 6748->6751 6752 40678f _mbscpy 6748->6752 6750 4067b6 sprintf MessageBoxA 6749->6750 6750->6466 6751->6750 6752->6751 6754 409370 5 API calls 6753->6754 6755 4093e4 6754->6755 6756 4093f7 6755->6756 6757 407491 free 6755->6757 6758 40940a 6756->6758 6760 407491 free 6756->6760 6759 4093f0 ??3@YAXPAX 6757->6759 6761 407491 free 6758->6761 6763 40941d 6758->6763 6759->6756 6764 409403 ??3@YAXPAX 6760->6764 6765 409416 ??3@YAXPAX 6761->6765 6762 409430 free 6762->6488 6763->6762 6766 407491 free 6763->6766 6764->6758 6765->6763 6767 409429 ??3@YAXPAX 6766->6767 6767->6762 8210 411e9a 8213 411c8f 8210->8213 8214 411c9c 8213->8214 8215 411ce6 memset GetPrivateProfileStringA 8214->8215 8216 411cab memset 8214->8216 8221 406fa6 strlen 8215->8221 8226 406f2d 8216->8226 8220 411d2f 8222 406fba 8221->8222 8224 406fbc 8221->8224 8222->8220 8223 407003 8223->8220 8224->8223 8230 406d5a strtoul 8224->8230 8227 406f96 WritePrivateProfileStringA 8226->8227 8229 406f3e 8226->8229 8227->8220 8228 406f45 sprintf memcpy 8228->8227 8228->8229 8229->8227 8229->8228 8230->8224 8444 41051f _wcsnicmp 8445 41059a 8444->8445 8446 41054a 8444->8446 8449 40fd01 memset memset 8446->8449 8448 410553 WideCharToMultiByte WideCharToMultiByte 8448->8445 8449->8448 6124 414db1 6125 414dc8 6124->6125 6129 414e36 6124->6129 6125->6129 6136 414df0 GetModuleHandleA 6125->6136 6126 414e7c 6127 414e3f GetModuleHandleA 6130 414e49 6127->6130 6129->6126 6129->6127 6129->6130 6130->6129 6132 414e69 GetProcAddress 6130->6132 6131 414de7 6131->6129 6131->6130 6133 414e0a GetProcAddress 6131->6133 6132->6129 6133->6129 6134 414e17 VirtualProtect 6133->6134 6134->6129 6135 414e26 VirtualProtect 6134->6135 6135->6129 6137 414df9 6136->6137 6144 414e36 6136->6144 6148 414e0d GetProcAddress 6137->6148 6139 414e7c 6140 414e3f GetModuleHandleA 6146 414e49 6140->6146 6141 414dfe 6142 414e0a GetProcAddress 6141->6142 6141->6144 6143 414e17 VirtualProtect 6142->6143 6142->6144 6143->6144 6145 414e26 VirtualProtect 6143->6145 6144->6139 6144->6140 6144->6146 6145->6144 6146->6144 6147 414e69 GetProcAddress 6146->6147 6147->6144 6149 414e36 6148->6149 6150 414e17 VirtualProtect 6148->6150 6152 414e7c 6149->6152 6153 414e3f GetModuleHandleA 6149->6153 6150->6149 6151 414e26 VirtualProtect 6150->6151 6151->6149 6155 414e49 6153->6155 6154 414e69 GetProcAddress 6154->6155 6155->6149 6155->6154

                                                                                                    Executed Functions

                                                                                                    Function 00407898 Relevance: 6.1, APIs: 4, Instructions: 58filestringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindFirstFileA.KERNELBASE(00000103,00000247,?,?,004042EE,?), ref: 004078AE
                                                                                                    • FindNextFileA.KERNELBASE(000000FF,00000247,?,?,004042EE,?), ref: 004078CC
                                                                                                    • strlen.MSVCRT ref: 004078FC
                                                                                                    • strlen.MSVCRT ref: 00407904
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFindstrlen$FirstNext
                                                                                                    • String ID:
                                                                                                    • API String ID: 379999529-0
                                                                                                    • Opcode ID: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
                                                                                                    • Instruction ID: 3f72f9a190aab30f8f483bccc0fafde7a86c3084d5e1b238a9c8f95d2c3e0c3c
                                                                                                    • Opcode Fuzzy Hash: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
                                                                                                    • Instruction Fuzzy Hash: 1F1186B2919201AFD3149B34D884EDB77D8DF44325F20493FF19AD21D0EB38B9459755
                                                                                                    Function 00410C4C Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 93libraryloaderstringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00410C6D
                                                                                                      • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EE7
                                                                                                      • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EFF
                                                                                                      • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405F3A
                                                                                                      • Part of subcall function 00405EC5: RegCloseKey.ADVAPI32(?), ref: 0040606C
                                                                                                      • Part of subcall function 00405EC5: _mbscpy.MSVCRT(?,?), ref: 0040607A
                                                                                                      • Part of subcall function 00405EC5: ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 0040608C
                                                                                                      • Part of subcall function 00405EC5: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004060A4
                                                                                                    • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
                                                                                                    • SetCurrentDirectoryA.KERNEL32(?), ref: 00410C9F
                                                                                                    • memset.MSVCRT ref: 00410CB4
                                                                                                    • strlen.MSVCRT ref: 00410CBE
                                                                                                    • strlen.MSVCRT ref: 00410CCC
                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00410D0B
                                                                                                    • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
                                                                                                    • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
                                                                                                    • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
                                                                                                    • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
                                                                                                    • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
                                                                                                    • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F
                                                                                                      • Part of subcall function 00406B4B: _mbscpy.MSVCRT(0040390F,00000000,0040390F,0040D4CE,00000000,Trillian\users\global), ref: 00406B53
                                                                                                      • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$memset$CurrentDirectory$_mbscpystrlen$CloseEnvironmentExpandLibraryLoadStrings_mbscat
                                                                                                    • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                                                                    • API String ID: 2719586705-3659000792
                                                                                                    • Opcode ID: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
                                                                                                    • Instruction ID: 3c436980af1a21df5e4856e841a29f4fe06fda5e66834ce9295461a77701cb90
                                                                                                    • Opcode Fuzzy Hash: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
                                                                                                    • Instruction Fuzzy Hash: BB317671940308AFCB20EFB5DC89ECABBB8AF64704F10486EE185D3141DAB996C48F54
                                                                                                    Function 00407C79 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 156 407c79-407dc2 memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 157 407dc4 156->157 158 407df8-407dfb 156->158 159 407dca-407dd3 157->159 160 407e2c-407e30 158->160 161 407dfd-407e06 158->161 162 407dd5-407dd9 159->162 163 407dda-407df6 159->163 164 407e08-407e0c 161->164 165 407e0d-407e2a 161->165 162->163 163->158 163->159 164->165 165->160 165->161
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00407CDB
                                                                                                    • memset.MSVCRT ref: 00407CEF
                                                                                                    • memset.MSVCRT ref: 00407D09
                                                                                                    • memset.MSVCRT ref: 00407D1E
                                                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 00407D40
                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 00407D54
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D73
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D88
                                                                                                    • strlen.MSVCRT ref: 00407D91
                                                                                                    • strlen.MSVCRT ref: 00407DA0
                                                                                                    • memcpy.MSVCRT(?,000000A3,00000010,?,?), ref: 00407DB2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                    • String ID: 5$H$O$b$i$}$}
                                                                                                    • API String ID: 1832431107-3760989150
                                                                                                    • Opcode ID: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
                                                                                                    • Instruction ID: c5d11ab3608301e1d6334a6842c6e335c593dc938f6648a4795a3d5a3f6caa6c
                                                                                                    • Opcode Fuzzy Hash: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
                                                                                                    • Instruction Fuzzy Hash: 0951D671C0025DFEDB11CFA4CC81AEEBBBCEF49314F0481AAE555A6181D3389B85CBA5
                                                                                                    Function 004110AF Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 166 4110af-4110b6 167 411146 166->167 168 4110bc-4110cc LoadLibraryA 166->168 169 411145 168->169 170 4110ce-4110e4 GetProcAddress 168->170 169->167 171 411134-41113c 170->171 172 4110e6-4110f5 GetProcAddress 170->172 171->169 173 41113e-41113f FreeLibrary 171->173 172->171 174 4110f7-411106 GetProcAddress 172->174 173->169 174->171 175 411108-411117 GetProcAddress 174->175 175->171 176 411119-411128 GetProcAddress 175->176 176->171 177 41112a 176->177 177->171
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNELBASE(psapi.dll,?,00411155,00404495,00000000,00000000,00000000), ref: 004110C2
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 004110DB
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004110EC
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 004110FD
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041110E
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0041111F
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0041113F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                    • API String ID: 2449869053-232097475
                                                                                                    • Opcode ID: ee84c210bc0f50ddd9e1354071252ba1724dd235f625d6dd127ec76221b6c85c
                                                                                                    • Instruction ID: 150d9d7abe9eb73bde655d9ea944b9d4c8ac0ad9fe74c99b0592c1ab8213f4a8
                                                                                                    • Opcode Fuzzy Hash: ee84c210bc0f50ddd9e1354071252ba1724dd235f625d6dd127ec76221b6c85c
                                                                                                    • Instruction Fuzzy Hash: CA01B138941212FAC7209F26AD04BE77EE4578CB94F14803BEA04D1669EB7884828A6C
                                                                                                    Function 004064FB Relevance: 19.7, APIs: 10, Strings: 3, Instructions: 158stringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 196 4064fb-40651b call 410c4c 199 406521-406555 memset call 406958 196->199 200 4066d9-4066e0 196->200 203 406563 199->203 204 406557-406561 199->204 205 406566-406568 203->205 204->205 206 4066d4 call 410d6f 205->206 207 40656e-4065d3 memset * 3 strlen * 2 205->207 206->200 209 4065d5-4065e6 call 406b4b 207->209 210 4065e8 207->210 213 4065ef-40660c strlen * 2 209->213 210->213 215 406621 213->215 216 40660e-40661f call 406b4b 213->216 218 406628-406645 strlen * 2 215->218 216->218 220 406647-406658 call 406b4b 218->220 221 40665a 218->221 222 406661-406670 call 4069d3 220->222 221->222 227 406681-406690 call 4069d3 222->227 228 406672-40667c call 4062db 222->228 232 4066a1-4066b0 call 4069d3 227->232 233 406692-40669c call 4062db 227->233 228->227 237 4066c1-4066d0 232->237 238 4066b2-4066bc call 4062db 232->238 233->232 237->206 239 4066d2 237->239 238->237 239->206
                                                                                                    APIs
                                                                                                      • Part of subcall function 00410C4C: memset.MSVCRT ref: 00410C6D
                                                                                                      • Part of subcall function 00410C4C: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
                                                                                                      • Part of subcall function 00410C4C: SetCurrentDirectoryA.KERNEL32(?), ref: 00410C9F
                                                                                                      • Part of subcall function 00410C4C: memset.MSVCRT ref: 00410CB4
                                                                                                      • Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CBE
                                                                                                      • Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CCC
                                                                                                      • Part of subcall function 00410C4C: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00410D0B
                                                                                                      • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
                                                                                                      • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
                                                                                                      • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
                                                                                                      • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
                                                                                                      • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
                                                                                                      • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F
                                                                                                    • memset.MSVCRT ref: 00406537
                                                                                                      • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
                                                                                                      • Part of subcall function 00406958: memcpy.MSVCRT(00000000,00000000,00000000,00000000,0040D450,trillian,?,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                                    • memset.MSVCRT ref: 0040657E
                                                                                                    • memset.MSVCRT ref: 00406596
                                                                                                    • memset.MSVCRT ref: 004065AE
                                                                                                    • strlen.MSVCRT ref: 004065B9
                                                                                                    • strlen.MSVCRT ref: 004065C7
                                                                                                    • strlen.MSVCRT ref: 004065F2
                                                                                                    • strlen.MSVCRT ref: 00406600
                                                                                                    • strlen.MSVCRT ref: 0040662B
                                                                                                    • strlen.MSVCRT ref: 00406639
                                                                                                      • Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
                                                                                                      • Part of subcall function 004062DB: GetFileSize.KERNEL32(00000000,00000000), ref: 00406306
                                                                                                      • Part of subcall function 004062DB: ??2@YAPAXI@Z.MSVCRT(00000001), ref: 0040631A
                                                                                                      • Part of subcall function 004062DB: memset.MSVCRT ref: 00406349
                                                                                                      • Part of subcall function 004062DB: memset.MSVCRT ref: 00406368
                                                                                                      • Part of subcall function 004062DB: memset.MSVCRT ref: 0040637A
                                                                                                      • Part of subcall function 004062DB: strcmp.MSVCRT ref: 004063B9
                                                                                                      • Part of subcall function 004062DB: ??3@YAXPAX@Z.MSVCRT(?), ref: 004064E5
                                                                                                      • Part of subcall function 004062DB: CloseHandle.KERNEL32(?), ref: 004064EE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memsetstrlen$AddressProc$CurrentDirectoryFile$??2@??3@AttributesCloseHandleLibraryLoadSizememcpystrcmp
                                                                                                    • String ID: signons.txt$signons2.txt$signons3.txt
                                                                                                    • API String ID: 4081699353-561706229
                                                                                                    • Opcode ID: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
                                                                                                    • Instruction ID: 377b3a65c9dd8df244cffc1a210365992fa2ecb4602db1b88cb694f2acf2e346
                                                                                                    • Opcode Fuzzy Hash: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
                                                                                                    • Instruction Fuzzy Hash: C051C47280401CAACF11EA65DC85BCE7BACAF15319F5504BFF509F2181EB389B988B58
                                                                                                    Function 0040FC4F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040FC6B
                                                                                                    • memset.MSVCRT ref: 0040FC82
                                                                                                      • Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
                                                                                                      • Part of subcall function 0040680E: strlen.MSVCRT ref: 0040680F
                                                                                                      • Part of subcall function 0040680E: _mbscat.MSVCRT ref: 00406826
                                                                                                    • _mbscat.MSVCRT ref: 0040FCAD
                                                                                                      • Part of subcall function 0041223F: memset.MSVCRT ref: 00412297
                                                                                                      • Part of subcall function 0041223F: RegCloseKey.ADVAPI32(00000104,?,?,?,?,00000000,00000104), ref: 004122FE
                                                                                                      • Part of subcall function 0041223F: _mbscpy.MSVCRT(00000000,?,?,?,?,?,00000000,00000104), ref: 0041230C
                                                                                                    • _mbscat.MSVCRT ref: 0040FCD5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscatmemset$CloseFolderPathSpecial_mbscpystrlen
                                                                                                    • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                    • API String ID: 748118687-1174173950
                                                                                                    • Opcode ID: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
                                                                                                    • Instruction ID: 7f5679cf0a8b8ad9b854585c07a42444415b2697a37b1dd070144bca98095891
                                                                                                    • Opcode Fuzzy Hash: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
                                                                                                    • Instruction Fuzzy Hash: 67010CB3D4021C76DB2176655C86FCF7A2C5F60308F0408A6F548B7142D9BC9ED846A9
                                                                                                    Function 0041212C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                                                                                    • RegCloseKey.KERNELBASE(0040D439,?,?,0040D439,?,?,?,?,?,00000000,00000000), ref: 00412167
                                                                                                    • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,?,0040D439,?,?,?,?,?,00000000,00000000), ref: 00412178
                                                                                                    • _mbscat.MSVCRT ref: 00412188
                                                                                                      • Part of subcall function 00411D82: RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
                                                                                                    Strings
                                                                                                    • ProgramFilesDir, xrefs: 00412150
                                                                                                    • :\Program Files, xrefs: 0041217E
                                                                                                    • SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00412137
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseDirectoryOpenQueryValueWindows_mbscat
                                                                                                    • String ID: :\Program Files$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                                                                                                    • API String ID: 3464146404-1099425022
                                                                                                    • Opcode ID: c60afe78d3be907601b0948d5127775a3db94f7b53ba6c2000afb81737aee508
                                                                                                    • Instruction ID: 662ef04aa31600ef20de70b7cf87d02e8b1ceff17a77a69e12e4cdaece8db846
                                                                                                    • Opcode Fuzzy Hash: c60afe78d3be907601b0948d5127775a3db94f7b53ba6c2000afb81737aee508
                                                                                                    • Instruction Fuzzy Hash: 2DF0E972508300BFE7119754AD07BCA7FE88F04314F20005BF644A0181FAE96EC0C29D
                                                                                                    Function 0040C427 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000738), ref: 0040C449
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(000008FC), ref: 0040C46C
                                                                                                    • DeleteObject.GDI32(?), ref: 0040C4B3
                                                                                                    • LoadIconA.USER32(00000065), ref: 0040C4FA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$DeleteIconLoadObject
                                                                                                    • String ID: ;@
                                                                                                    • API String ID: 1986663749-2925476404
                                                                                                    • Opcode ID: 4dd53dc8d509f152d3d3e7defd5ee1d3aa3759e23b2fb38ffde6a536d33112bb
                                                                                                    • Instruction ID: 4d16bad446557b49ffcede9a37569aa771c04751a2fd478bf3dc9e82e5d405e4
                                                                                                    • Opcode Fuzzy Hash: 4dd53dc8d509f152d3d3e7defd5ee1d3aa3759e23b2fb38ffde6a536d33112bb
                                                                                                    • Instruction Fuzzy Hash: A921AE70900314CBCB50AF6698846D97BA8BB01714F9886BFEC0DAF286CF7855408F68
                                                                                                    Function 00404C9D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00404CE0: FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
                                                                                                    • LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
                                                                                                    • GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                    • String ID: CryptUnprotectData$crypt32.dll
                                                                                                    • API String ID: 145871493-1827663648
                                                                                                    • Opcode ID: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
                                                                                                    • Instruction ID: 7870739769311804760c3d1e0253e2144152d34b250ce61cbbba51fe108a7f01
                                                                                                    • Opcode Fuzzy Hash: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
                                                                                                    • Instruction Fuzzy Hash: 01E012B06057108AE7205F76A9057837AD4AB84744F12843EA149E2580D7B8E440C798
                                                                                                    Function 00411560 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004115A1
                                                                                                    • K32EnumProcesses.KERNEL32(?,00004000,004044A3,?,004044A3,?,00000000,00000000,00000000), ref: 004115B9
                                                                                                      • Part of subcall function 004112D9: OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,?,?,?), ref: 004112FF
                                                                                                      • Part of subcall function 004112D9: K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?), ref: 00411316
                                                                                                      • Part of subcall function 004112D9: K32GetModuleFileNameExA.KERNEL32(00000000,?,?,00000104,?,?,?), ref: 0041132A
                                                                                                      • Part of subcall function 004112D9: CloseHandle.KERNELBASE(00000000,?,?,?), ref: 00411336
                                                                                                      • Part of subcall function 00411172: _mbscpy.MSVCRT(?,-00000001), ref: 00411198
                                                                                                      • Part of subcall function 0041172B: memcpy.MSVCRT(0041DF00,?,0000010C,?,00000000,00411680,004044A3,?), ref: 00411758
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 0041165E
                                                                                                    • CloseHandle.KERNEL32(00000000,004044A3,?), ref: 00411697
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseEnumHandleProcess_mbscpy$FileModuleModulesNameOpenProcessesmemcpymemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 3731837815-0
                                                                                                    • Opcode ID: 9809a1a83cd82cc29b60a12147b0f8e2d32acd45d844ff989c572edc4e4952da
                                                                                                    • Instruction ID: 5e40a2ef1ff72a785ccc601064cd9551f1045985186162b7752f8c4c90acf24d
                                                                                                    • Opcode Fuzzy Hash: 9809a1a83cd82cc29b60a12147b0f8e2d32acd45d844ff989c572edc4e4952da
                                                                                                    • Instruction Fuzzy Hash: 72317271901129ABDB20EB65DC85BEE77BCEB44344F0440ABE709E2160D7759EC5CA68
                                                                                                    Function 00411C8F Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00411CB8
                                                                                                      • Part of subcall function 00406F2D: sprintf.MSVCRT ref: 00406F65
                                                                                                      • Part of subcall function 00406F2D: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00406F78
                                                                                                    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00411CDC
                                                                                                    • memset.MSVCRT ref: 00411CF4
                                                                                                    • GetPrivateProfileStringA.KERNEL32(?,?,00417C88,?,00002000,?), ref: 00411D12
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 3143880245-0
                                                                                                    • Opcode ID: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
                                                                                                    • Instruction ID: 17bc1180ef60d6c0bde436c598d7e35c316bda315ace93708f1b6f060f7ed051
                                                                                                    • Opcode Fuzzy Hash: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
                                                                                                    • Instruction Fuzzy Hash: 0611A771500219BFDF115F64EC8AEDB3F78EF04754F100066FA09A2151E6358964CBA8
                                                                                                    Function 0041208B Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindResourceA.KERNEL32(?,?,?), ref: 00412098
                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004120A9
                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 004120B9
                                                                                                    • LockResource.KERNEL32(00000000), ref: 004120C4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                    • String ID:
                                                                                                    • API String ID: 3473537107-0
                                                                                                    • Opcode ID: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
                                                                                                    • Instruction ID: 6eee99af0fd3847aa000c15d4e464fa532876ff6069f3449b7718533803959f6
                                                                                                    • Opcode Fuzzy Hash: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
                                                                                                    • Instruction Fuzzy Hash: 0101C432600215AB8B158F95DD489DB7F6AFF8A391305C036ED09C6360D770C890C6CC
                                                                                                    Function 004140F2 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00A13CF8), ref: 004140FC
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00A1BD00), ref: 0041410C
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00A1C510), ref: 0041411C
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00A1C108), ref: 0041412C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@
                                                                                                    • String ID:
                                                                                                    • API String ID: 613200358-0
                                                                                                    • Opcode ID: e48d3df8ed8d95b9f010ad00d7fe62e5366ad64f636456b435669263f62c43ce
                                                                                                    • Instruction ID: 5397eece0a1688dd905253f83ef07836dc4e260be7ec153caf65aeba5f13d1a3
                                                                                                    • Opcode Fuzzy Hash: e48d3df8ed8d95b9f010ad00d7fe62e5366ad64f636456b435669263f62c43ce
                                                                                                    • Instruction Fuzzy Hash: 82E04674308210269A24AF3BFE49AC723AC5B54725794852FF808D33A2CE2CCCC0802C
                                                                                                    Function 00406D2B Relevance: 3.0, APIs: 2, Instructions: 21timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
                                                                                                    • GetFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040F9E7,00000000,?,00000000,?,?,00000000), ref: 00406D46
                                                                                                    • CloseHandle.KERNELBASE(00000000,?,?,00000000), ref: 00406D4F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                                    • String ID:
                                                                                                    • API String ID: 3397143404-0
                                                                                                    • Opcode ID: 7bff6bc8731922aebfa0769e74e5599f4fdc97828f53a7f2077a8613dbe9e9dd
                                                                                                    • Instruction ID: ee1f68b728ceb5a298c60dc052c4b3ed262b371f399a07f2899d8fe9e4a13fdd
                                                                                                    • Opcode Fuzzy Hash: 7bff6bc8731922aebfa0769e74e5599f4fdc97828f53a7f2077a8613dbe9e9dd
                                                                                                    • Instruction Fuzzy Hash: C7D0123660116067872137676C0CDDF6E6ADECA326706843AF15593110D634481686A5
                                                                                                    Function 00408490 Relevance: 2.6, APIs: 2, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00404D18: LoadLibraryA.KERNEL32(advapi32.dll,?,004084A6), ref: 00404D23
                                                                                                      • Part of subcall function 00404D18: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404D37
                                                                                                      • Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00404D43
                                                                                                      • Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00404D4F
                                                                                                      • Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00404D5B
                                                                                                      • Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00404D67
                                                                                                      • Part of subcall function 00404D18: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00404D73
                                                                                                    • wcslen.MSVCRT ref: 004084CF
                                                                                                    • memset.MSVCRT ref: 0040854D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoadmemsetwcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1960736289-0
                                                                                                    • Opcode ID: f78174ecb424998fb22a5f41f112440964ae667a2303fb3ee1b26447fe91a2a4
                                                                                                    • Instruction ID: 2dd004568a6c17cef409d44c463746fb2ce178d2970b6d5fdfdea9e5a7127ffe
                                                                                                    • Opcode Fuzzy Hash: f78174ecb424998fb22a5f41f112440964ae667a2303fb3ee1b26447fe91a2a4
                                                                                                    • Instruction Fuzzy Hash: D931A331500159BFCB11DFA4CD819EF77A8AF88304F14447EF985B7181DA38AE599B68
                                                                                                    Function 00404CE0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID:
                                                                                                    • API String ID: 3664257935-0
                                                                                                    • Opcode ID: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
                                                                                                    • Instruction ID: e399220ee4d6b13c72a3c0d8b1802730825471fdce5c5047c746ffbeb5b4c0d0
                                                                                                    • Opcode Fuzzy Hash: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
                                                                                                    • Instruction Fuzzy Hash: 95C09B71111701CBF7214F50C948793B7F4BF40717F50485C95D5D5080D77CD554DA18
                                                                                                    Function 00412111 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnumResourceNamesA.KERNEL32(?,?,Function_0001208B,00000000), ref: 00412120
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnumNamesResource
                                                                                                    • String ID:
                                                                                                    • API String ID: 3334572018-0
                                                                                                    • Opcode ID: ba829d88c3412ff21df67adf2b83c510d22bc263701ca9dedf1e72494c089302
                                                                                                    • Instruction ID: 035a6a4498e4538559194e0194001357af3b3daa9477d160ae033d236808df75
                                                                                                    • Opcode Fuzzy Hash: ba829d88c3412ff21df67adf2b83c510d22bc263701ca9dedf1e72494c089302
                                                                                                    • Instruction Fuzzy Hash: F1C09B31594741D7D7119F608D05F5B7E95BB9C701F114D397355D40A4D7514024D605
                                                                                                    Function 00411D68 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2750916801.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000007.00000002.2750916801.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_400000_17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72e.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Open
                                                                                                    • String ID:
                                                                                                    • API String ID: 71445658-0
                                                                                                    • Opcode ID: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
                                                                                                    • Instruction ID: ce7f413466e1863fe1078dd7deec7b9c9a94e59086d3684c19d06f0563d6b072
                                                                                                    • Opcode Fuzzy Hash: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
                                                                                                    • Instruction Fuzzy Hash: 5CC09235548301FFDE128F80EE0AF4ABFA2BBC8B05F508818B284240B1C2728824EB57