Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report njw.exe

Overview

General Information

Sample Name:njw.exe
Analysis ID:511823
MD5:3f91f84924d1db7ace9ad307fcae35d1
SHA1:50e790e2b3324c1b3805916c5a3c323ed8a7305f
SHA256:a0254e8580186ca146fcc6082a6110888ac0cc3c7f733e760ad7a655bd2a0503
Infos:

Most interesting Screenshot:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
PE file has nameless sections
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Uses the system / local time for branch decision (may execute only at specific dates)
IP address seen in connection with other malware
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
PE file contains an invalid checksum
PE file contains strange resources
Allocates memory with a write watch (potentially for evading sandboxes)
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Installs a global mouse hook
Found evaded block containing many API calls
PE file contains more sections than normal
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • njw.exe (PID: 7120 cmdline: 'C:\Users\user\Desktop\njw.exe' MD5: 3F91F84924D1DB7ACE9AD307FCAE35D1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.njw.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Sigma Overview

      No Sigma rule has matched

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: njw.exeVirustotal: Detection: 11%Perma Link
      Machine Learning detection for sampleShow sources
      Source: njw.exeJoe Sandbox ML: detected
      Source: njw.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
      Source: unknownHTTPS traffic detected: 87.250.251.119:443 -> 192.168.2.4:49791 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 87.250.251.119:443 -> 192.168.2.4:49790 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 88.212.201.198:443 -> 192.168.2.4:49792 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 88.212.201.198:443 -> 192.168.2.4:49793 version: TLS 1.2
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0068FDFC FindFirstFileA,0_2_0068FDFC
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0068D8ED FindFirstFileA,GetTempPathA,DeleteFileA,FindNextFileA,0_2_0068D8ED
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Joe Sandbox ViewIP Address: 88.212.201.198 88.212.201.198
      Source: Joe Sandbox ViewIP Address: 87.250.251.119 87.250.251.119
      Source: global trafficHTTP traffic detected: GET /metrika/watch.js HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: mc.yandex.ru
      Source: global trafficHTTP traffic detected: GET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: counter.yadro.ru
      Source: global trafficHTTP traffic detected: GET /metrika/watch.js HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: mc.yandex.ru
      Source: global trafficHTTP traffic detected: GET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: counter.yadro.ru
      Source: global trafficHTTP traffic detected: GET /hit;counter1?q;r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: counter.yadro.ruCookie: FTID=1XV1Xy3Wb9uB1XV1Xy001EiW
      Source: global trafficHTTP traffic detected: GET /hit;counter1?q;r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: counter.yadro.ruCookie: FTID=1XV1Xy3Wb9uB1XV1Xy001Ei9
      Source: global trafficHTTP traffic detected: GET /watch/14153041?callback=_ymjsp303195921&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Fsecondpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1976%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A1156845228070%3Ahid%3A271984739%3Az%3A120%3Ai%3A202101029175118%3Aet%3A1635522678%3Ac%3A1%3Arn%3A1015963535%3Au%3A1635522678322622628%3Aw%3A148x55%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674734%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C128%2C0%2C1973%2C1975%2C0%2C1973%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522680%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr(14)ti(3)&wmode=5 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /watch/14153041?callback=_ymjsp355627947&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Ffirstpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1930%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A732524701665%3Ahid%3A87010386%3Az%3A120%3Ai%3A202101029175120%3Aet%3A1635522680%3Ac%3A1%3Arn%3A244404675%3Au%3A1635522678322622628%3Aw%3A148x47%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674781%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C155%2C0%2C2520%2C2521%2C0%2C2520%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522681%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr(14)ti(3)&wmode=5 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /metrika/advert.gif?t=ti(4) HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /watch/14153041/1?callback=_ymjsp303195921&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Fsecondpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1976%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A1156845228070%3Ahid%3A271984739%3Az%3A120%3Ai%3A202101029175118%3Aet%3A1635522678%3Ac%3A1%3Arn%3A1015963535%3Au%3A1635522678322622628%3Aw%3A148x55%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674734%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C128%2C0%2C1973%2C1975%2C0%2C1973%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522680%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr%2814%29ti%283%29&wmode=5 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-AliveCookie: yandexuid=847304281635522680; i=vL1T7ICVuHRXpyNPzwMzlaKjl/D94ryPalEPO4xIx2pX5AZpVtBfDP0muIercdmDCjCbNqUK2tSOHbHUPiY/6ZY1euA=; ymex=1667058680.yrts.1635522680#1667058680.yrtsi.1635522680; yabs-sid=2327043721635522680
      Source: global trafficHTTP traffic detected: GET /watch/14153041/1?callback=_ymjsp355627947&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Ffirstpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1930%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A732524701665%3Ahid%3A87010386%3Az%3A120%3Ai%3A202101029175120%3Aet%3A1635522680%3Ac%3A1%3Arn%3A244404675%3Au%3A1635522678322622628%3Aw%3A148x47%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674781%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C155%2C0%2C2520%2C2521%2C0%2C2520%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522681%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr%2814%29ti%283%29&wmode=5 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-AliveCookie: yandexuid=3723159021635522681; i=yROKAQCkQEDp/MhTCtujtSWzFSx7PgG/2QZgPGeQuaYkCYGk4Lr5g33sdF0NzFWf3pPBk9Yj1OF7cHnVzZMM+SWO+Mc=; ymex=1667058681.yrts.1635522681#1667058681.yrtsi.1635522681; yabs-sid=702787781635522681
      Source: global trafficHTTP traffic detected: GET /metrika/advert.gif?t=ti(4) HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /secondpage.html HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /firstpage.html HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: counter.yadro.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /metrika/watch.js HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /metrika/watch.js HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: counter.yadro.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/button.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/404-header-line.gif HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/404-arrow.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/404-logo.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/404.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/button.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/404-header-line.gif HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/404-logo.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/404-arrow.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/404.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
      Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Oct 2021 15:51:16 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=15ETag: W/"611e66ad-1ad5"Content-Encoding: gzipData Raw: 61 30 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 9d 59 fb 6f db 38 12 fe 3d 7f 05 ab e0 60 bb 89 25 bf 92 a6 7e 15 6d da c5 2e 90 6e 7b bb e9 1d 8a a2 28 68 89 b6 d8 48 a2 4a 52 71 bc d9 fc ef 37 43 ea 65 5b 4e ba 67 a1 91 c4 c7 70 e6 9b 99 8f 43 75 fa ec ed 87 cb eb cf 1f df 91 50 c7 d1 fc 68 5a dc 18 0d e6 47 04 7e d3 98 69 0a bd 3a ed b2 1f 19 bf 9d 39 be 48 34 4b 74 57 6f 52 e6 90 fc 6d e6 68 76 a7 3d 9c 3e 21 7e 48 a5 62 7a 96 e9 65 f7 c2 21 5e 2e 49 73 1d b1 f9 af d7 d7 1f c9 a8 37 22 7f 30 25 32 e9 33 92 08 4d 96 22 4b 82 a9 67 87 1c 4d 95 de 44 8c e0 0a b9 60 5f 29 67 7e b4 10 c1 86 dc c7 54 ae 78 32 26 bd 09 49 69 10 f0 64 65 9e 17 d4 bf 59 49 94 33 26 c7 cb e5 72 02 42 13 3d 26 fd 41 7a e7 0d e0 0f 69 fd 87 c9 80 26 b4 05 2a 8a 48 48 18 77 7e 81 d7 e4 c1 8a a6 e4 be e8 18 0e e8 c0 07 19 b8 7a 37 60 be 90 54 73 01 ab 82 7c 26 23 9e b0 72 d2 38 14 b7 4c 92 fb bd a1 89 30 a3 74 70 4a 78 92 66 fa 94 28 16 31 1f ee 38 94 4a 06 eb 55 3a 92 a7 95 74 fd 88 51 58 c9 dc c6 64 21 74 68 5a ad 0f c8 fd 9a 07 3a 1c 93 17 c3 b3 f4 6e 42 0a 9c 68 a6 05 0c f3 9e 77 f3 1f 7a 97 49 fb fc dc 3b 3a b6 ef e4 3e 64 7c 15 82 36 67 66 7a 1d cf 4c 46 6d cf 55 1e 8f 57 1e 93 d2 03 ff 15 52 10 0a 77 c5 97 1d 22 59 ca a8 ee de 91 1e f8 17 24 3c 1c 1d 47 62 25 c0 c6 48 50 10 1b b1 a5 ae b4 aa 7b 6f 70 9e e2 ac 1e 36 e6 36 8c 86 a8 43 a1 d1 e0 45 4d 1e a0 16 70 95 46 74 03 10 44 c2 bf a9 c7 01 79 89 f3 0e 0b 21 e8 2b 50 68 3d 26 21 0f 02 96 40 4b a6 d1 88 dc 5f d6 e3 1c bc 8c 8e e9 be 84 df 2e 1a 18 5d 8d 90 a0 7a 6e 9a ac 3a 20 aa 6b e1 20 3e c8 01 70 ed 0d bd a5 b8 66 5d 1f 9c af 59 09 8d 44 0d 2b 6c ea 78 3c 62 ea 99 19 d5 37 de ca e3 a8 8f b1 7e 7e 20 8c 5e f8 3d 36 f8 49 53 a8 94 62 bd 6b 0b 7a 90 f4 ad 6f ab 70 aa ff 20 9c aa 8e 98 f2 a4 d6 71 8c ef e4 be 34 e0 ac 67 f4 3f 33 66 20 32 66 bc 59 63 3b 64 72 6f f6 cf 71 65 eb 1f 1a f1 15 00 55 a1 0a 7a 0b 69 e8 a3 cc a9 0b c4 62 d4 8c c5 0b b6 18 05 83 72 a2 2f 02 56 11 4b df 2a 36 b0 8a 95 cb db b4 28 a2 e9 fc fc 27 92 64 07 40 5c 2f a5 2b 06 8c 67 08 af 54 75 84 aa f6 0e a9 8a d7 de 54 9a 13 8e 96 34 51 4b 21 63 50 20 4d 99 f4 a9 62 4d 76 1a 70 4d 9c 35 a3 3b 7a b9 45 1a 26 fa c8 85 f5 75 7d 72 38 dc 62 e0 1a c7 22 e0 4d 06 0c 86 78 95 62 4a b6 6a 62 82 fe b0 8c fc dd f1 59 54 4d 19 96 91 0f 19 8a 6a d7 37 82 88 2b dd 35 3b 48 49 c1 c7 0a 08 d3 0f c9 3d e6 9f 79 5c 0b 19 94 84 39 7c d1 db 16 42 b6 5c 3d 30 bd c8 11 dd ed a6 1d e6 58 80 4c 06 16 43 12 12 25 22 1e 90 63 7f 89 57 d1 d5 95 34 e0 99 1a 5b f1 40 44 9a fb 34 2a 82 39 06 3e 8a 8c a3 ad 8a 6a 11 3f 1a 20 a5 2e 03 94 56 a0 7d 36 a2 41 b9 71 a9 90 06 48 75 3d a3 13 fe b3 3b 63 cd 52 23 15 37 1e 6b 52 93 0d 43 bc c8 33 1e a7 90 62 34 d1 cd e6 6c d1 0a bb c0 6b 2f 25 16 99 d6 22 b1 59 51 6c 17 a0 7a 26 15 ea 9e 0a 6
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Oct 2021 15:51:16 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=15ETag: W/"611e66ad-1ad5"Content-Encoding: gzipData Raw: 61 30 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 9d 59 fb 6f db 38 12 fe 3d 7f 05 ab e0 60 bb 89 25 bf 92 a6 7e 15 6d da c5 2e 90 6e 7b bb e9 1d 8a a2 28 68 89 b6 d8 48 a2 4a 52 71 bc d9 fc ef 37 43 ea 65 5b 4e ba 67 a1 91 c4 c7 70 e6 9b 99 8f 43 75 fa ec ed 87 cb eb cf 1f df 91 50 c7 d1 fc 68 5a dc 18 0d e6 47 04 7e d3 98 69 0a bd 3a ed b2 1f 19 bf 9d 39 be 48 34 4b 74 57 6f 52 e6 90 fc 6d e6 68 76 a7 3d 9c 3e 21 7e 48 a5 62 7a 96 e9 65 f7 c2 21 5e 2e 49 73 1d b1 f9 af d7 d7 1f c9 a8 37 22 7f 30 25 32 e9 33 92 08 4d 96 22 4b 82 a9 67 87 1c 4d 95 de 44 8c e0 0a b9 60 5f 29 67 7e b4 10 c1 86 dc c7 54 ae 78 32 26 bd 09 49 69 10 f0 64 65 9e 17 d4 bf 59 49 94 33 26 c7 cb e5 72 02 42 13 3d 26 fd 41 7a e7 0d e0 0f 69 fd 87 c9 80 26 b4 05 2a 8a 48 48 18 77 7e 81 d7 e4 c1 8a a6 e4 be e8 18 0e e8 c0 07 19 b8 7a 37 60 be 90 54 73 01 ab 82 7c 26 23 9e b0 72 d2 38 14 b7 4c 92 fb bd a1 89 30 a3 74 70 4a 78 92 66 fa 94 28 16 31 1f ee 38 94 4a 06 eb 55 3a 92 a7 95 74 fd 88 51 58 c9 dc c6 64 21 74 68 5a ad 0f c8 fd 9a 07 3a 1c 93 17 c3 b3 f4 6e 42 0a 9c 68 a6 05 0c f3 9e 77 f3 1f 7a 97 49 fb fc dc 3b 3a b6 ef e4 3e 64 7c 15 82 36 67 66 7a 1d cf 4c 46 6d cf 55 1e 8f 57 1e 93 d2 03 ff 15 52 10 0a 77 c5 97 1d 22 59 ca a8 ee de 91 1e f8 17 24 3c 1c 1d 47 62 25 c0 c6 48 50 10 1b b1 a5 ae b4 aa 7b 6f 70 9e e2 ac 1e 36 e6 36 8c 86 a8 43 a1 d1 e0 45 4d 1e a0 16 70 95 46 74 03 10 44 c2 bf a9 c7 01 79 89 f3 0e 0b 21 e8 2b 50 68 3d 26 21 0f 02 96 40 4b a6 d1 88 dc 5f d6 e3 1c bc 8c 8e e9 be 84 df 2e 1a 18 5d 8d 90 a0 7a 6e 9a ac 3a 20 aa 6b e1 20 3e c8 01 70 ed 0d bd a5 b8 66 5d 1f 9c af 59 09 8d 44 0d 2b 6c ea 78 3c 62 ea 99 19 d5 37 de ca e3 a8 8f b1 7e 7e 20 8c 5e f8 3d 36 f8 49 53 a8 94 62 bd 6b 0b 7a 90 f4 ad 6f ab 70 aa ff 20 9c aa 8e 98 f2 a4 d6 71 8c ef e4 be 34 e0 ac 67 f4 3f 33 66 20 32 66 bc 59 63 3b 64 72 6f f6 cf 71 65 eb 1f 1a f1 15 00 55 a1 0a 7a 0b 69 e8 a3 cc a9 0b c4 62 d4 8c c5 0b b6 18 05 83 72 a2 2f 02 56 11 4b df 2a 36 b0 8a 95 cb db b4 28 a2 e9 fc fc 27 92 64 07 40 5c 2f a5 2b 06 8c 67 08 af 54 75 84 aa f6 0e a9 8a d7 de 54 9a 13 8e 96 34 51 4b 21 63 50 20 4d 99 f4 a9 62 4d 76 1a 70 4d 9c 35 a3 3b 7a b9 45 1a 26 fa c8 85 f5 75 7d 72 38 dc 62 e0 1a c7 22 e0 4d 06 0c 86 78 95 62 4a b6 6a 62 82 fe b0 8c fc dd f1 59 54 4d 19 96 91 0f 19 8a 6a d7 37 82 88 2b dd 35 3b 48 49 c1 c7 0a 08 d3 0f c9 3d e6 9f 79 5c 0b 19 94 84 39 7c d1 db 16 42 b6 5c 3d 30 bd c8 11 dd ed a6 1d e6 58 80 4c 06 16 43 12 12 25 22 1e 90 63 7f 89 57 d1 d5 95 34 e0 99 1a 5b f1 40 44 9a fb 34 2a 82 39 06 3e 8a 8c a3 ad 8a 6a 11 3f 1a 20 a5 2e 03 94 56 a0 7d 36 a2 41 b9 71 a9 90 06 48 75 3d a3 13 fe b3 3b 63 cd 52 23 15 37 1e 6b 52 93 0d 43 bc c8 33 1e a7 90 62 34 d1 cd e6 6c d1 0a bb c0 6b 2f 25 16 99 d6 22 b1 59 51 6c 17 a0 7a 26 15 ea 9e 0a 6
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: <li><a href="http://www.facebook.com/ucoz.web.builder" target="_blank">Facebook</a></li> equals www.facebook.com (Facebook)
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: Phttp://www.facebook.com/ucoz.web.builder75.1 equals www.facebook.com (Facebook)
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: Phttp://www.facebook.com/ucoz.web.builderhtml equals www.facebook.com (Facebook)
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.facebook.com/ucoz.web.builder equals www.facebook.com (Facebook)
      Source: njw.exe, 00000000.00000002.936889233.000000000B821000.00000004.00000001.sdmpString found in binary or memory: http://www.facebook.com/ucoz.web.builder7 equals www.facebook.com (Facebook)
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.facebook.com/ucoz.web.buildert equals www.facebook.com (Facebook)
      Source: njw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmpString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
      Source: njw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmpString found in binary or memory: www.facebook.comi equals www.facebook.com (Facebook)
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://book.ucoz.com
      Source: njw.exe, 00000000.00000002.936865761.000000000B811000.00000004.00000001.sdmpString found in binary or memory: http://book.ucoz.com/
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://counter.yadro.ru/
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://counter.yadro.ru/hit;counter1?r
      Source: njw.exe, 00000000.00000002.935239138.0000000006A8C000.00000004.00000001.sdmpString found in binary or memory: http://counter.yadro.ru/hit;counter1?r;s1280
      Source: njw.exe, 00000000.00000003.754055959.000000000B75B000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://faq.ucoz.com/
      Source: njw.exe, 00000000.00000002.936865761.000000000B811000.00000004.00000001.sdmpString found in binary or memory: http://faq.ucoz.com/iCy
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://faq.ucoz.com/z
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://forum.ucoz.com/
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://forum.ucoz.com/)
      Source: njw.exe, 00000000.00000002.936889233.000000000B821000.00000004.00000001.sdmpString found in binary or memory: http://forum.ucoz.com/r4r
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpString found in binary or memory: http://google.com/search
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://google.com/searchb
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://google.com/searchr-c
      Source: njw.exeString found in binary or memory: http://madExcept.com
      Source: njw.exe, 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmpString found in binary or memory: http://madExcept.comU
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.936889233.000000000B821000.00000004.00000001.sdmpString found in binary or memory: http://top.ucoz.com/
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://top.ucoz.com/Ita
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmpString found in binary or memory: http://ucoz.com
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://ucoz.com/register/
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://ucoz.com/register/n:
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://ucoz.com/register/x;Z
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://ucoz.com/register/~
      Source: njw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmpString found in binary or memory: http://ucoz.com/s
      Source: njw.exe, 00000000.00000002.935016714.0000000006A58000.00000004.00000001.sdmpString found in binary or memory: http://ucoz.com:
      Source: njw.exe, 00000000.00000002.935016714.0000000006A58000.00000004.00000001.sdmpString found in binary or memory: http://ucoz.comN
      Source: njw.exe, 00000000.00000002.934808825.00000000067D8000.00000004.00000001.sdmpString found in binary or memory: http://w3.o
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.
      Source: njw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.d
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.naro:
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.r
      Source: njw.exeString found in binary or memory: http://www.all-bearings.narod.ru
      Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.934046409.0000000004004000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/
      Source: njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/$
      Source: njw.exe, 00000000.00000003.754245026.0000000006B19000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.png
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.png$yE
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.png4yU
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngDye
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngDze
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngTDu
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngg
      Source: njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngu
      Source: njw.exe, 00000000.00000003.754055959.000000000B75B000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngx
      Source: njw.exe, 00000000.00000002.932325468.0000000000948000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngz
      Source: njw.exe, 00000000.00000003.754055959.000000000B75B000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gif
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.936684119.000000000B79C000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gif...
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gif.dll
      Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gifQ
      Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gifT
      Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gifW
      Source: njw.exe, 00000000.00000003.754332572.000000000B7CE000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gifY
      Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gifg
      Source: njw.exe, 00000000.00000003.754055959.000000000B75B000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.png
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.png$zE
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.png4
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.png4DU
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.pngD
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.pngTzu
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.pngd
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.pngdD
      Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404-logo.pngt
      Source: njw.exe, 00000000.00000003.754088792.000000000B79C000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.935383674.0000000006AAD000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404.png
      Source: njw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404.png07
      Source: njw.exe, 00000000.00000003.754088792.000000000B79C000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404.png?X
      Source: njw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404.pngB7
      Source: njw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404.pngg/
      Source: njw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/404.pngv6
      Source: njw.exe, 00000000.00000003.754332572.000000000B7CE000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.png
      Source: njw.exe, 00000000.00000003.754316994.000000000B7B1000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.png&
      Source: njw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.png-c
      Source: njw.exe, 00000000.00000003.754037157.000000000B828000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.png...
      Source: njw.exe, 00000000.00000002.935383674.0000000006AAD000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.png5?
      Source: njw.exe, 00000000.00000002.935383674.0000000006AAD000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.pngT8T
      Source: njw.exe, 00000000.00000003.754332572.000000000B7CE000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.pngX
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.pnges
      Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.pngf
      Source: njw.exe, 00000000.00000002.935383674.0000000006AAD000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.pngg8g
      Source: njw.exe, 00000000.00000003.754519394.000000000B7CE000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.pngj
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/.s/img/err/button.pngt
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/B
      Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/F
      Source: njw.exe, 00000000.00000002.935655115.0000000006B19000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.html
      Source: njw.exe, 00000000.00000002.932520416.00000000009F9000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.html-bearings.narod.ru/firstpage.html...
      Source: njw.exe, 00000000.00000002.932520416.00000000009F9000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.html...
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.html/
      Source: njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.html1
      Source: njw.exe, 00000000.00000003.754245026.0000000006B19000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.html2
      Source: njw.exe, 00000000.00000002.940327666.000000000DF70000.00000004.00000010.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.html4E
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.html7
      Source: njw.exe, 00000000.00000002.936631044.000000000B76B000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlGix
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlHIe
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlI
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlO
      Source: njw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlQ
      Source: njw.exe, 00000000.00000003.754245026.0000000006B19000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlU:
      Source: njw.exe, 00000000.00000003.754245026.0000000006B19000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlWK
      Source: njw.exe, 00000000.00000003.754316994.000000000B7B1000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmleople
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlg
      Source: njw.exe, 00000000.00000002.936034770.000000000A077000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlhttp://www.all-bearings.narod.ru/firstpage.html
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlk
      Source: njw.exe, 00000000.00000003.754037157.000000000B828000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmlk4y
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/firstpage.htmly
      Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/n
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondp
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.940355610.000000000DF90000.00000004.00000010.sdmp, njw.exe, 00000000.00000002.935655115.0000000006B19000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.html
      Source: njw.exe, 00000000.00000003.754245026.0000000006B19000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.html(
      Source: njw.exe, 00000000.00000002.937283236.000000000BAF0000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.html-Aloud
      Source: njw.exe, 00000000.00000002.932520416.00000000009F9000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.html...
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.html3
      Source: njw.exe, 00000000.00000003.754088792.000000000B79C000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.html6
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlF
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlK
      Source: njw.exe, 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlU
      Source: njw.exe, 00000000.00000002.936631044.000000000B76B000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlX
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlY
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmletCookies
      Source: njw.exe, 00000000.00000002.936631044.000000000B76B000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlh
      Source: njw.exe, 00000000.00000002.936009031.000000000A063000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlhttp://www.all-bearings.narod.ru/secondpage.html
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmllU
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmllq
      Source: njw.exe, 00000000.00000002.932520416.00000000009F9000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlndpage.html...rstpage.html
      Source: njw.exe, 00000000.00000002.932312200.0000000000940000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlng.pnge.gifE5
      Source: njw.exe, 00000000.00000002.932520416.00000000009F9000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlngs.narod.ru/secondpage.html
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmls
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlsk
      Source: njw.exe, 00000000.00000003.754055959.000000000B75B000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/secondpage.htmlu6
      Source: njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/sl
      Source: njw.exe, njw.exe, 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmpString found in binary or memory: http://www.all-bearings.narod.ru/webhelp.html
      Source: njw.exe, 00000000.00000002.940327666.000000000DF70000.00000004.00000010.sdmpString found in binary or memory: http://www.all-bearings.narod.ruL
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.ruc
      Source: njw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmpString found in binary or memory: http://www.all-bearings.narod.rud
      Source: njw.exe, 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmpString found in binary or memory: http://www.all-bearings.narod.ruopenS
      Source: njw.exe, 00000000.00000003.751994283.00000000067C9000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.753243308.000000000680B000.00000004.00000001.sdmp, ga[1].js.0.drString found in binary or memory: http://www.google-analytics.com
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.com/
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.com/32
      Source: njw.exe, 00000000.00000002.935315308.0000000006A9C000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.com/7
      Source: njw.exe, 00000000.00000003.754245026.0000000006B19000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.com/__utm.gif?utmwv=5.7.2&utms=2&utmn=1625169737&utmhn=www.all-bearings.
      Source: njw.exe, 00000000.00000003.754245026.0000000006B19000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.com/ga.js
      Source: njw.exe, 00000000.00000003.754316994.000000000B7B1000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.com/ga.js)
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.google-analytics.com/ga.js-1002c
      Source: njw.exe, 00000000.00000003.754332572.000000000B7CE000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.com/ga.js021
      Source: njw.exe, 00000000.00000002.936009031.000000000A063000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.com/ga.jsV
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.google-analytics.com/ga.jscrC:
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpString found in binary or memory: http://www.google-analytics.com/ga.jsitC:
      Source: njw.exe, 00000000.00000003.754265887.0000000006B3A000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.754055959.000000000B75B000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.754332572.000000000B7CE000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.com/r/__utm.gif?utmwv=5.7.2&utms=1&utmn=1923535507&utmhn=www.all-bearing
      Source: njw.exe, 00000000.00000002.936009031.000000000A063000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.937344665.000000000BB25000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.comwww.google-analytics.com
      Source: njw.exe, 00000000.00000002.938239805.000000000D9C0000.00000004.00000040.sdmpString found in binary or memory: http://www.macromedia.com
      Source: njw.exeString found in binary or memory: http://www.remserviss.ru
      Source: njw.exe, 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmpString found in binary or memory: http://www.remserviss.ruopen
      Source: njw.exe, 00000000.00000002.936854078.000000000B80E000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: http://www.ucoz.com/pricing/
      Source: njw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmpString found in binary or memory: http://www.ucoz.com/pricing/.5
      Source: njw.exe, 00000000.00000002.936854078.000000000B80E000.00000004.00000001.sdmpString found in binary or memory: http://www.ucoz.com/pricing/Iy
      Source: njw.exe, 00000000.00000002.936854078.000000000B80E000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmpString found in binary or memory: http://www.ucoz.com/privacy/
      Source: njw.exe, 00000000.00000002.936854078.000000000B80E000.00000004.00000001.sdmpString found in binary or memory: http://www.ucoz.com/privacy/%y
      Source: njw.exe, 00000000.00000002.936854078.000000000B80E000.00000004.00000001.sdmpString found in binary or memory: http://www.ucoz.com/privacy/dyb
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmpString found in binary or memory: http://www.ucoz.com/terms/
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://www.ucoz.com/terms/j
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://www.ucoz.com/terms/s
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmpString found in binary or memory: http://www.ucoz.com/tour/
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://www.ucoz.com/tour/8a
      Source: njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpString found in binary or memory: http://www.ucoz.com/tour/px
      Source: njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmpString found in binary or memory: http://www.ucoz.com/tour/q
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: https://counter.yadro.ru/
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpString found in binary or memory: https://counter.yadro.ru/&
      Source: njw.exe, 00000000.00000003.754332572.000000000B7CE000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.935516918.0000000006AF2000.00000004.00000001.sdmpString found in binary or memory: https://counter.yadro.ru/hit;counter1?q;r;s1280
      Source: njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpString found in binary or memory: https://counter.yadro.ru/hit;counter1?r;s1280
      Source: njw.exe, 00000000.00000003.792685337.000000000F5D7000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.774568164.000000000E05A000.00000004.00000010.sdmp, njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.756432489.000000000684E000.00000004.00000001.sdmp, watch[1].js.0.drString found in binary or memory: https://iframe-toloka.com/
      Source: njw.exe, 00000000.00000002.932520416.00000000009F9000.00000004.00000020.sdmpString found in binary or memory: https://login.live.comt
      Source: njw.exe, 00000000.00000002.935488975.0000000006AEB000.00000004.00000001.sdmpString found in binary or memory: https://mc.y
      Source: njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmpString found in binary or memory: https://mc.y0
      Source: njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, watch[1].js.0.drString found in binary or memory: https://mc.yandex.
      Source: njw.exe, 00000000.00000003.782452215.000000000DF16000.00000004.00000010.sdmpString found in binary or memory: https://mc.yandex.:
      Source: njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, watch[1].js.0.drString found in binary or memory: https://mc.yandex.md/cc
      Source: njw.exe, 00000000.00000003.789755108.000000000F548000.00000004.00000001.sdmpString found in binary or memory: https://mc.yandex.md/ccPageView.
      Source: njw.exe, 00000000.00000003.756432489.000000000684E000.00000004.00000001.sdmpString found in binary or memory: https://mc.yandex.md/ccba
      Source: njw.exe, 00000000.00000003.756492906.0000000006831000.00000004.00000001.sdmpString found in binary or memory: https://mc.yandex.pK
      Source: njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.756432489.000000000684E000.00000004.00000001.sdmp, watch[1].js.0.drString found in binary or memory: https://s3.mds.yandex.net/internal-metrika-betas
      Source: njw.exe, 00000000.00000003.790985819.000000000F57D000.00000004.00000001.sdmpString found in binary or memory: https://s3.mds.yandex.net/internal-metrika-betasS
      Source: njw.exe, 00000000.00000002.936009031.000000000A063000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.751994283.00000000067C9000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.753243308.000000000680B000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.937440425.000000000BB68000.00000004.00000001.sdmp, ga[1].js.0.drString found in binary or memory: https://ssl.google-analytics.com
      Source: njw.exe, 00000000.00000002.936009031.000000000A063000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.751994283.00000000067C9000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.753243308.000000000680B000.00000004.00000001.sdmp, ga[1].js.0.drString found in binary or memory: https://ssl.google-analytics.com/j/__utm.gif
      Source: njw.exe, 00000000.00000002.936233347.000000000A330000.00000004.00000001.sdmpString found in binary or memory: https://ssl.google-analytics.com/j/__utm.gifpN3
      Source: njw.exe, 00000000.00000002.936009031.000000000A063000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.751994283.00000000067C9000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.753243308.000000000680B000.00000004.00000001.sdmp, ga[1].js.0.drString found in binary or memory: https://stats.g.doubleclick.net/j/collect?
      Source: njw.exe, 00000000.00000002.936889233.000000000B821000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/
      Source: njw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/#
      Source: njw.exe, 00000000.00000002.936889233.000000000B821000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/k4y
      Source: ga[1].js.0.drString found in binary or memory: https://www.google.%/ads/ga-audiences?
      Source: njw.exe, 00000000.00000002.936009031.000000000A063000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.751994283.00000000067C9000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.753243308.000000000680B000.00000004.00000001.sdmp, ga[1].js.0.drString found in binary or memory: https://www.google.com/analytics/web/inpage/pub/inpage.js?
      Source: njw.exe, 00000000.00000002.938239805.000000000D9C0000.00000004.00000040.sdmpString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/
      Source: njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.785521786.000000000ECC0000.00000004.00000010.sdmp, njw.exe, 00000000.00000002.940327666.000000000DF70000.00000004.00000010.sdmp, njw.exe, 00000000.00000003.756492906.0000000006831000.00000004.00000001.sdmp, watch[1].js.0.drString found in binary or memory: https://yastatic.net/s3/gdpr/popup/v2/
      Source: njw.exe, 00000000.00000003.792685337.000000000F5D7000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.756432489.000000000684E000.00000004.00000001.sdmp, watch[1].js.0.drString found in binary or memory: https://yastatic.net/s3/metrika
      Source: njw.exe, 00000000.00000003.774568164.000000000E05A000.00000004.00000010.sdmp, njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, watch[1].js.0.drString found in binary or memory: https://ymetrica1.com/watch/3/1
      Source: unknownDNS traffic detected: queries for: www.all-bearings.narod.ru
      Source: global trafficHTTP traffic detected: GET /metrika/watch.js HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: mc.yandex.ru
      Source: global trafficHTTP traffic detected: GET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: counter.yadro.ru
      Source: global trafficHTTP traffic detected: GET /metrika/watch.js HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: mc.yandex.ru
      Source: global trafficHTTP traffic detected: GET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: counter.yadro.ru
      Source: global trafficHTTP traffic detected: GET /hit;counter1?q;r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: counter.yadro.ruCookie: FTID=1XV1Xy3Wb9uB1XV1Xy001EiW
      Source: global trafficHTTP traffic detected: GET /hit;counter1?q;r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: counter.yadro.ruCookie: FTID=1XV1Xy3Wb9uB1XV1Xy001Ei9
      Source: global trafficHTTP traffic detected: GET /watch/14153041?callback=_ymjsp303195921&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Fsecondpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1976%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A1156845228070%3Ahid%3A271984739%3Az%3A120%3Ai%3A202101029175118%3Aet%3A1635522678%3Ac%3A1%3Arn%3A1015963535%3Au%3A1635522678322622628%3Aw%3A148x55%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674734%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C128%2C0%2C1973%2C1975%2C0%2C1973%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522680%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr(14)ti(3)&wmode=5 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /watch/14153041?callback=_ymjsp355627947&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Ffirstpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1930%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A732524701665%3Ahid%3A87010386%3Az%3A120%3Ai%3A202101029175120%3Aet%3A1635522680%3Ac%3A1%3Arn%3A244404675%3Au%3A1635522678322622628%3Aw%3A148x47%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674781%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C155%2C0%2C2520%2C2521%2C0%2C2520%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522681%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr(14)ti(3)&wmode=5 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /metrika/advert.gif?t=ti(4) HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /watch/14153041/1?callback=_ymjsp303195921&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Fsecondpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1976%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A1156845228070%3Ahid%3A271984739%3Az%3A120%3Ai%3A202101029175118%3Aet%3A1635522678%3Ac%3A1%3Arn%3A1015963535%3Au%3A1635522678322622628%3Aw%3A148x55%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674734%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C128%2C0%2C1973%2C1975%2C0%2C1973%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522680%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr%2814%29ti%283%29&wmode=5 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-AliveCookie: yandexuid=847304281635522680; i=vL1T7ICVuHRXpyNPzwMzlaKjl/D94ryPalEPO4xIx2pX5AZpVtBfDP0muIercdmDCjCbNqUK2tSOHbHUPiY/6ZY1euA=; ymex=1667058680.yrts.1635522680#1667058680.yrtsi.1635522680; yabs-sid=2327043721635522680
      Source: global trafficHTTP traffic detected: GET /watch/14153041/1?callback=_ymjsp355627947&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Ffirstpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1930%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A732524701665%3Ahid%3A87010386%3Az%3A120%3Ai%3A202101029175120%3Aet%3A1635522680%3Ac%3A1%3Arn%3A244404675%3Au%3A1635522678322622628%3Aw%3A148x47%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674781%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C155%2C0%2C2520%2C2521%2C0%2C2520%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522681%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr%2814%29ti%283%29&wmode=5 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-AliveCookie: yandexuid=3723159021635522681; i=yROKAQCkQEDp/MhTCtujtSWzFSx7PgG/2QZgPGeQuaYkCYGk4Lr5g33sdF0NzFWf3pPBk9Yj1OF7cHnVzZMM+SWO+Mc=; ymex=1667058681.yrts.1635522681#1667058681.yrtsi.1635522681; yabs-sid=702787781635522681
      Source: global trafficHTTP traffic detected: GET /metrika/advert.gif?t=ti(4) HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /secondpage.html HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /firstpage.html HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: counter.yadro.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /metrika/watch.js HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /metrika/watch.js HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339 HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: counter.yadro.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/button.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/404-header-line.gif HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/404-arrow.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/404-logo.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/404.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/secondpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/button.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/404-header-line.gif HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/404-logo.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/404-arrow.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /.s/img/err/404.png HTTP/1.1Accept: */*Referer: http://www.all-bearings.narod.ru/firstpage.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.all-bearings.narod.ruConnection: Keep-Alive
      Source: unknownHTTPS traffic detected: 87.250.251.119:443 -> 192.168.2.4:49791 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 87.250.251.119:443 -> 192.168.2.4:49790 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 88.212.201.198:443 -> 192.168.2.4:49792 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 88.212.201.198:443 -> 192.168.2.4:49793 version: TLS 1.2
      Source: njw.exe, 00000000.00000002.932325468.0000000000948000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: C:\Users\user\Desktop\njw.exeWindows user hook set: 0 mouse low level C:\Windows\system32\dinput8.dllJump to behavior
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042CB18 OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,CloseClipboard,0_2_0042CB18

      System Summary:

      barindex
      PE file has nameless sectionsShow sources
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00410CCC0_2_00410CCC
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_004180680_2_00418068
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_004121200_2_00412120
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_004153300_2_00415330
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0043F4540_2_0043F454
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_004165540_2_00416554
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0069251E0_2_0069251E
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_004247D80_2_004247D8
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_004177E80_2_004177E8
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0040D97C0_2_0040D97C
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_004149380_2_00414938
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00427A5C0_2_00427A5C
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00690DFF0_2_00690DFF
      Source: C:\Users\user\Desktop\njw.exeCode function: String function: 00436A94 appears 46 times
      Source: C:\Users\user\Desktop\njw.exeCode function: String function: 00404C04 appears 35 times
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0040B8E8 NtdllDefWindowProc_A,WaitForSingleObject,ReleaseMutex,0_2_0040B8E8
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042AC1C GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetCurrentProcessId,GetModuleHandleA,NtQuerySystemInformation,LocalFree,LocalAlloc,LocalAlloc,NtQuerySystemInformation,GetCurrentProcessId,LocalFree,0_2_0042AC1C
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0043F454 NtdllDefWindowProc_A,LoadCursorA,SetCursor,NtdllDefWindowProc_A,BeginPaint,GetClientRect,GetSysColor,GetSysColor,SelectObject,GetTextExtentPoint32A,SetTextColor,GetSysColor,SetTextColor,GetSysColor,SetBkColor,TextOutA,SelectObject,EndPaint,NtdllDefWindowProc_A,InvalidateRect,NtdllDefWindowProc_A,ShellExecuteA,NtdllDefWindowProc_A,NtdllDefWindowProc_A,GetFocus,KillTimer,InvalidateRect,GetSysColor,GetSysColor,Sleep,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetClientRect,PostMessageA,GetSysColor,GetSysColor,KillTimer,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,NtdllDefWindowProc_A,GetWindowRect,GetWindowPlacement,SetWindowPos,GetWindowPlacement,SetWindowPos,GetWindowPlacement,SetWindowPos,GetWindowPlacement,SetWindowPos,GetWindowPlacement,SetWindowPos,GetClientRect,InvalidateRect,NtdllDefWindowProc_A,0_2_0043F454
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00427A5C GetCursorPos,ScreenToClient,IsWindowEnabled,LoadCursorA,SetCursor,NtdllDefWindowProc_A,SetCapture,ReleaseCapture,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,BeginPaint,EndPaint,SetTextColor,SetTextColor,SetTextColor,SetTextColor,GetSysColorBrush,GetClientRect,GetFocus,SetFocus,KillTimer,NtdllDefWindowProc_A,NtdllDefWindowProc_A,GetWindowRect,ScreenToClient,ScreenToClient,InflateRect,InvalidateRect,InvalidateRect,InvalidateRect,InvalidateRect,GetWindowLongA,PostMessageA,GetFocus,KillTimer,NtdllDefWindowProc_A,0_2_00427A5C
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00408BAC GetWindowLongA,GetWindowLongA,NtdllDefWindowProc_A,0_2_00408BAC
      Source: C:\Users\user\Desktop\njw.exeProcess Stats: CPU usage > 98%
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: njw.exeStatic PE information: Number of sections : 12 > 10
      Source: njw.exeStatic PE information: Section: ZLIB complexity 1.0021484375
      Source: njw.exeVirustotal: Detection: 11%
      Source: C:\Users\user\Desktop\njw.exeFile read: C:\Users\user\Desktop\njw.exeJump to behavior
      Source: C:\Users\user\Desktop\njw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\njw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\njw.exeFile created: C:\Users\user\Desktop\bugreport.txtJump to behavior
      Source: C:\Users\user\Desktop\njw.exeFile created: C:\Users\user\AppData\Local\Temp\njw.madExceptJump to behavior
      Source: classification engineClassification label: mal60.spyw.winEXE@1/17@4/3
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0068ED30 GetLastError,FormatMessageA,wsprintfA,0_2_0068ED30
      Source: C:\Users\user\Desktop\njw.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: njw.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
      Source: C:\Users\user\Desktop\njw.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1bd0
      Source: C:\Users\user\Desktop\njw.exeMutant created: \Sessions\1\BaseNamedObjects\madToolsMsgHandlerMutex$1bd4$40ba70
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042E204 FindResourceA,0_2_0042E204
      Source: Yara matchFile source: 0.2.njw.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\njw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\njw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\njw.exeWindow found: window name: TEditJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: njw.exeStatic file information: File size 1694802 > 1048576
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00446FC4 push ecx; mov dword ptr [esp], edx0_2_00446FC5
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00407128 push 00407154h; ret 0_2_0040714C
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0040B13C push 0040B168h; ret 0_2_0040B160
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00408184 push 004081B0h; ret 0_2_004081A8
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042A240 push 0042A26Ch; ret 0_2_0042A264
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0040926C push 00409298h; ret 0_2_00409290
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00408348 push 00408374h; ret 0_2_0040836C
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00408310 push 0040833Ch; ret 0_2_00408334
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0041331C push 00413348h; ret 0_2_00413340
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042A3D8 push 0042A404h; ret 0_2_0042A3FC
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00418390 push 004183BCh; ret 0_2_004183B4
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_004583B8 push ecx; mov dword ptr [esp], edx0_2_004583BD
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042A458 push 0042A484h; ret 0_2_0042A47C
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042A420 push 0042A44Ch; ret 0_2_0042A444
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042A4C8 push 0042A4F4h; ret 0_2_0042A4EC
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042A490 push 0042A4BCh; ret 0_2_0042A4B4
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042A550 push 0042A57Ch; ret 0_2_0042A574
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042A500 push 0042A52Ch; ret 0_2_0042A524
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_004285B8 push ecx; mov dword ptr [esp], ecx0_2_004285BD
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00417784 push 004177B0h; ret 0_2_004177A8
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042A8E0 push 0042A90Ch; ret 0_2_0042A904
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_004098AC push ecx; mov dword ptr [esp], edx0_2_004098B1
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0041C968 push 0041C9ADh; ret 0_2_0041C9A5
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00423968 push 00423994h; ret 0_2_0042398C
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00409914 push ecx; mov dword ptr [esp], edx0_2_00409919
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0041C920 push 0041C963h; ret 0_2_0041C95B
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042A988 push 0042A9B4h; ret 0_2_0042A9AC
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0040CB58 push 0040CB85h; ret 0_2_0040CB7D
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0040CB00 push 0040CB53h; ret 0_2_0040CB4B
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00406DF4 push 00406E45h; ret 0_2_00406E3D
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: section name:
      Source: njw.exeStatic PE information: real checksum: 0x287c15 should be: 0x1a3590
      Source: initial sampleStatic PE information: section name: entropy: 7.97472353809
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00429058 IsWindowEnabled,EnableWindow,CreateCompatibleDC,SelectObject,DeleteDC,GetWindowRect,GetClientRect,GetSystemMetrics,GetSystemMetrics,SetWindowPos,ShowWindow,IsIconic,ShowWindow,BringWindowToTop,SetForegroundWindow,SetTimer,GetKeyState,IsDialogMessage,TranslateMessage,DispatchMessageA,IsWindow,GetMessageA,VirtualFree,EnableWindow,SetActiveWindow,0_2_00429058
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_004234B8 GetWindowThreadProcessId,GetCurrentProcessId,IsWindowVisible,IsIconic,GetWindowRect,OffsetRect,0_2_004234B8
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042354C GetWindowThreadProcessId,GetCurrentProcessId,IsWindowVisible,IsIconic,GetWindowRect,OffsetRect,CreateRectRgnIndirect,CombineRgn,DeleteObject,0_2_0042354C
      Source: C:\Users\user\Desktop\njw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042AC1C GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetCurrentProcessId,GetModuleHandleA,NtQuerySystemInformation,LocalFree,LocalAlloc,LocalAlloc,NtQuerySystemInformation,GetCurrentProcessId,LocalFree,0_2_0042AC1C
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0068A2D1 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp-4ch], 03h and CTI: jnc 0068A3BEh0_2_0068A2D1
      Source: C:\Users\user\Desktop\njw.exeMemory allocated: 3F70000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\njw.exeMemory allocated: A110000 memory commit | memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\njw.exeMemory allocated: A2B0000 memory commit | memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\njw.exeMemory allocated: A2D0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\njw.exeEvaded block: after key decisiongraph_0-25519
      Source: C:\Users\user\Desktop\njw.exeEvaded block: after key decisiongraph_0-26181
      Source: C:\Users\user\Desktop\njw.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0068FDFC FindFirstFileA,0_2_0068FDFC
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0068D8ED FindFirstFileA,GetTempPathA,DeleteFileA,FindNextFileA,0_2_0068D8ED
      Source: C:\Users\user\Desktop\njw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: njw.exe, 00000000.00000003.738298118.00000000009A7000.00000004.00000001.sdmpBinary or memory string: 1&0SWD\MSRRAS\MS_AGILEVPNMINIPORTROOT\CompositeBus\0000ROOT\vdrvroot\0000ROOT\spaceport\0000ACPI\PNP0B00\4&1bd7f811&0ROOT\KDNIC\0000ACPI\PNP0303\4&1bd7f811&0USB\VID_0E0F&PID_0003&MI_01\7&1ffda586&0&0001SWD\PRINTENUM\{76EAF5AF-D6EB-4F92-BEE0-755C2D4343CA}SWD\PRINTENUM\{AD489F8D-3BDF-4E8D-B3D2-2E65A589368B}PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&A8PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&A9PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&AAPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&ABPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&ACPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&ADPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&AEPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&AFPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B0PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B1PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B2PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B3PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B4PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B5PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B6PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B7PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B8PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B9PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BAPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BBPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BCPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BDPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BEPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BFPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C0PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C1PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C2PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C3PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C4PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C5PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C6PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C7ACPI\PNP0200\4&1bd7f811&0ROOT\UMBUS\0000SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000ROOT\ACPI_HAL\0000SWD\MSRRAS\MS_NDISWANBHSWD\MSRRAS\MS_NDISWANIPPCI\VEN_15AD&DEV_1977&SUBSYS_197715AD&REV_09\4&bbf9765&0&0088ACPI_HAL\PNP0C08\0HTREE\ROOT\0ROOT\BasicRender\0000SWD\MSRRAS\MS_SSTPMINIPORTSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10\3&61aaa01&0&3FSWD\PRINTENUM\{56829D9F-AB04-4336-A25A-0504A6D184EC}ACPI\FixedButton\2&daba3ff&0PCI\VEN_8086&DEV_7110&SUBSYS_197615AD&REV_08\3&61aaa01&0&38ACPI\PNP0C02\1fHID\VID_0E0F&PID_0003&MI_00\8&1230c469&0&0000PCI\VEN_15AD&DEV_0779&SUBSYS_077915AD&REV_00\4&3b50545d&0&00B8STORAGE\Volume\{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000SWD\MMDEVAPI\{0.0.1.00000000}.{fcb8848f-2374-48ab-94
      Source: njw.exe, 00000000.00000003.738345129.000000000099F000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000C=C
      Source: njw.exe, 00000000.00000003.738345129.000000000099F000.00000004.00000001.sdmpBinary or memory string: AS\MS_AGILEVPNMINIPORTROOT\CompositeBus\0000ROOT\vdrvroot\0000ROOT\spaceport\0000ACPI\PNP0B00\4&1bd7f811&0ROOT\KDNIC\0000ACPI\PNP0303\4&1bd7f811&0USB\VID_0E0F&PID_0003&MI_01\7&1ffda586&0&0001SWD\PRINTENUM\{76EAF5AF-D6EB-4F92-BEE0-755C2D4343CA}SWD\PRINTENUM\{AD489F8D-3BDF-4E8D-B3D2-2E65A589368B}PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&A8PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&A9PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&AAPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&ABPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&ACPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&ADPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&AEPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&AFPCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B0PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B1PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B2PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B3PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B4PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B5PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B6PCI\VEN_8086&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B7PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B8PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&B9PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BAPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BBPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BCPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BDPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BEPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&BFPCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C0PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C1PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C2PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C3PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C4PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C5PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C6PCI\VEN_15AD&DEV_07A0&SUBSYS_07A015AD&REV_01\3&61aaa01&0&C7ACPI\PNP0200\4&1bd7f811&0ROOT\UMBUS\0000SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000ROOT\ACPI_HAL\0000SWD\MSRRAS\MS_NDISWANBHSWD\MSRRAS\MS_NDISWANIPPCI\VEN_15AD&DEV_1977&SUBSYS_197715AD&REV_09\4&bbf9765&0&0088ACPI_HAL\PNP0C08\0HTREE\ROOT\0ROOT\BasicRender\0000SWD\MSRRAS\MS_SSTPMINIPORTSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10\3&61aaa01&0&3FSWD\PRINTENUM\{56829D9F-AB04-4336-A25A-0504A6D184EC}ACPI\FixedButton\2&daba3ff&0PCI\VEN_8086&DEV_7110&SUBSYS_197615AD&REV_08\3&61aaa01&0&38ACPI\PNP0C02\1fHID\VID_0E0F&PID_0003&MI_00\8&1230c469&0&0000PCI\VEN_15AD&DEV_0779&SUBSYS_077915AD&REV_00\4&3b50545d&0&00B8STORAGE\Volume\{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000SWD\MMDEVAPI\{0.0.1.00000000}.{fcb8848f-2374-48ab-9412-fa1c511f
      Source: njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
      Source: njw.exe, 00000000.00000003.738345129.000000000099F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWh
      Source: njw.exe, 00000000.00000003.742405334.0000000002658000.00000004.00000001.sdmp, bugreport.txt.0.drBinary or memory string: - Microsoft Hyper-V Generation Counter
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042BA90 VirtualProtect 00000000,00000004,00607910,00607910,00000000,00000004,00000040,00607910,00000000,00000001,000000000_2_0042BA90
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042AC1C GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetCurrentProcessId,GetModuleHandleA,NtQuerySystemInformation,LocalFree,LocalAlloc,LocalAlloc,NtQuerySystemInformation,GetCurrentProcessId,LocalFree,0_2_0042AC1C
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0068EF5E SetUnhandledExceptionFilter,0_2_0068EF5E
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0068F6E2 EnterCriticalSection,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,0_2_0068F6E2
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0042B7EC InitializeSecurityDescriptor,SetSecurityDescriptorDacl,0_2_0042B7EC
      Source: njw.exe, 00000000.00000002.932618181.0000000000ED0000.00000002.00020000.sdmpBinary or memory string: Program Manager
      Source: njw.exe, 00000000.00000002.932618181.0000000000ED0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: njw.exe, 00000000.00000002.932618181.0000000000ED0000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: njw.exe, 00000000.00000002.932618181.0000000000ED0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\njw.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\njw.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\njw.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\njw.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\njw.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\njw.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\njw.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\njw.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\njw.exeQueries volume information: C:\Windows\SysWOW64\Macromed\Flash\activex.vch VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\njw.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\njw.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\njw.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_0040648C
      Source: C:\Users\user\Desktop\njw.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00406598
      Source: C:\Users\user\Desktop\njw.exeCode function: GetThreadLocale,GetLocaleInfoA,0_2_0040AB10
      Source: C:\Users\user\Desktop\njw.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
      Source: C:\Users\user\Desktop\njw.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
      Source: C:\Users\user\Desktop\njw.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
      Source: C:\Users\user\Desktop\njw.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
      Source: C:\Users\user\Desktop\njw.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
      Source: C:\Users\user\Desktop\njw.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0068A2D1 GetSystemTimeAsFileTime,SetFilePointer,ReadFile,GetSystemTimeAsFileTime,0_2_0068A2D1
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_0041CE14 RtlValidSecurityDescriptor,VirtualQuery,GetVersion,GetModuleHandleA,0_2_0041CE14

      Stealing of Sensitive Information:

      barindex
      Tries to steal Mail credentials (via file registry)Show sources
      Source: C:\Users\user\Desktop\njw.exeCode function: EnterCriticalSection,LocalAlloc,LeaveCriticalSection, SmtpPassword0_2_0042EB98
      Source: C:\Users\user\Desktop\njw.exeCode function: EnterCriticalSection,LocalAlloc,LeaveCriticalSection, SmtpPassword0_2_0042EB98
      Source: C:\Users\user\Desktop\njw.exeCode function: SmtpPassword0_2_00435178
      Source: C:\Users\user\Desktop\njw.exeCode function: 0_2_00439C00 socket,bind,htons,sendto,select,closesocket,0_2_00439C00

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsNative API1Path InterceptionProcess Injection1Masquerading1Input Capture2System Time Discovery11Remote ServicesInput Capture2Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing2DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery34Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      njw.exe11%VirustotalBrowse
      njw.exe4%ReversingLabs
      njw.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      0.2.njw.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      0.0.njw.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      0.1.njw.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

      Domains

      SourceDetectionScannerLabelLink
      counter.yadro.ru3%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://counter.yadro.ru/hit;counter1?r1%VirustotalBrowse
      http://counter.yadro.ru/hit;counter1?r0%Avira URL Cloudsafe
      http://www.all-bearings.narod0%Avira URL Cloudsafe
      http://counter.yadro.ru/hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.54436415560553390%Avira URL Cloudsafe
      https://counter.yadro.ru/0%Avira URL Cloudsafe
      https://mc.yandex.0%URL Reputationsafe
      https://mc.yandex.:0%Avira URL Cloudsafe
      http://www.all-bearings.narod.ruc0%Avira URL Cloudsafe
      http://www.all-bearings.narod.rud0%Avira URL Cloudsafe
      https://mc.y0%Avira URL Cloudsafe
      https://mc.y00%Avira URL Cloudsafe
      https://counter.yadro.ru/&0%Avira URL Cloudsafe
      http://www.all-bearings.narod.ruopenS0%Avira URL Cloudsafe
      https://mc.yandex.md/cc0%URL Reputationsafe
      https://mc.yandex.pK0%Avira URL Cloudsafe
      https://counter.yadro.ru/hit;counter1?q;r;s12800%Avira URL Cloudsafe
      http://w3.o0%Avira URL Cloudsafe
      http://www.remserviss.ruopen0%Avira URL Cloudsafe
      http://counter.yadro.ru/hit;counter1?r;s12800%Avira URL Cloudsafe
      https://counter.yadro.ru/hit;counter1?q;r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.344767154370824560%Avira URL Cloudsafe
      http://www.remserviss.ru0%Avira URL Cloudsafe
      https://mc.yandex.md/ccPageView.0%Avira URL Cloudsafe
      https://iframe-toloka.com/0%Avira URL Cloudsafe
      http://www.all-bearings.d0%Avira URL Cloudsafe
      http://counter.yadro.ru/0%Avira URL Cloudsafe
      https://mc.yandex.md/ccba0%Avira URL Cloudsafe
      http://www.all-bearings.0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      mc.yandex.ru
      		87.250.251.119
      		truefalse
        		high
        counter.yadro.ru
        		88.212.201.198
        		truefalseunknown
        www-google-analytics.l.google.com
        		142.250.203.110
        		truefalse
          		high
          www.all-bearings.narod.ru
          		193.109.247.229
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://counter.yadro.ru/hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339false
            • Avira URL Cloud: safe
            		unknown
            http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngfalse
              		high
              https://mc.yandex.ru/watch/14153041?callback=_ymjsp355627947&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Ffirstpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1930%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A732524701665%3Ahid%3A87010386%3Az%3A120%3Ai%3A202101029175120%3Aet%3A1635522680%3Ac%3A1%3Arn%3A244404675%3Au%3A1635522678322622628%3Aw%3A148x47%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674781%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C155%2C0%2C2520%2C2521%2C0%2C2520%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522681%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr(14)ti(3)&wmode=5false
                		high
                http://www.all-bearings.narod.ru/.s/img/err/404-logo.pngfalse
                  		high
                  https://mc.yandex.ru/metrika/advert.gif?t=ti(4)false
                    		high
                    http://www.all-bearings.narod.ru/.s/img/err/404.pngfalse
                      		high
                      http://www.all-bearings.narod.ru/.s/img/err/404-header-line.giffalse
                        		high
                        http://mc.yandex.ru/metrika/watch.jsfalse
                          		high
                          http://www.all-bearings.narod.ru/.s/img/err/button.pngfalse
                            		high
                            https://counter.yadro.ru/hit;counter1?q;r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456false
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://counter.yadro.ru/hit;counter1?rnjw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://google.com/searchnjw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpfalse
                              		high
                              http://ucoz.com/register/x;Znjw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.all-bearings.narodnjw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.all-bearings.narod.ru/secondpage.htmlngs.narod.ru/secondpage.htmlnjw.exe, 00000000.00000002.932520416.00000000009F9000.00000004.00000020.sdmpfalse
                                  		high
                                  https://twitter.com/#njw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gifgnjw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.all-bearings.narod.ru/firstpage.htmlynjw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpfalse
                                        		high
                                        http://www.macromedia.comnjw.exe, 00000000.00000002.938239805.000000000D9C0000.00000004.00000040.sdmpfalse
                                          		high
                                          http://www.all-bearings.narod.ru/Bnjw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.ucoz.com/tour/8anjw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.all-bearings.narod.ru/Fnjw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngDyenjw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpfalse
                                                  		high
                                                  http://www.all-bearings.narod.ru/secondpage.htmllUnjw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpfalse
                                                    		high
                                                    https://counter.yadro.ru/njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://ucoz.com/register/njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpfalse
                                                      		high
                                                      http://www.all-bearings.narod.ru/secondpage.htmllqnjw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpfalse
                                                        		high
                                                        http://faq.ucoz.com/iCynjw.exe, 00000000.00000002.936865761.000000000B811000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gifTnjw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://mc.yandex.njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, watch[1].js.0.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.all-bearings.narod.ru/.s/img/err/button.pngesnjw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpfalse
                                                              		high
                                                              http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gifWnjw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.all-bearings.narod.ru/firstpage.htmlhttp://www.all-bearings.narod.ru/firstpage.htmlnjw.exe, 00000000.00000002.936034770.000000000A077000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gifYnjw.exe, 00000000.00000003.754332572.000000000B7CE000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.all-bearings.narod.ru/.s/img/err/button.png5?njw.exe, 00000000.00000002.935383674.0000000006AAD000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.all-bearings.narod.ru/.s/img/err/404.pngg/njw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://mc.yandex.:njw.exe, 00000000.00000003.782452215.000000000DF16000.00000004.00000010.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.all-bearings.narod.rucnjw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.all-bearings.narod.ru/.s/img/err/button.png...njw.exe, 00000000.00000003.754037157.000000000B828000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.all-bearings.narod.rudnjw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.ucoz.com/pricing/Iynjw.exe, 00000000.00000002.936854078.000000000B80E000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://mc.ynjw.exe, 00000000.00000002.935488975.0000000006AEB000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.all-bearings.narod.ru/$njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://mc.y0njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.ucoz.com/terms/njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.936702634.000000000B7B1000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://s3.mds.yandex.net/internal-metrika-betasSnjw.exe, 00000000.00000003.790985819.000000000F57D000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.all-bearings.narod.ru/firstpage.htmlgnjw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpfalse
                                                                                    		high
                                                                                    http://www.all-bearings.narod.ru/.s/img/err/404-arrow.png4yUnjw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpfalse
                                                                                      		high
                                                                                      https://counter.yadro.ru/&njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gifQnjw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://www.all-bearings.narod.ru/.s/img/err/button.pngXnjw.exe, 00000000.00000003.754332572.000000000B7CE000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://www.all-bearings.narod.ru/.s/img/err/404.pngv6njw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://www.all-bearings.narod.ru/.s/img/err/button.pngfnjw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://www.all-bearings.narod.ruopenSnjw.exe, 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://s3.mds.yandex.net/internal-metrika-betasnjw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.756432489.000000000684E000.00000004.00000001.sdmp, watch[1].js.0.drfalse
                                                                                                		high
                                                                                                http://www.all-bearings.narod.ru/firstpage.htmlknjw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://yastatic.net/s3/metrikanjw.exe, 00000000.00000003.792685337.000000000F5D7000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.756432489.000000000684E000.00000004.00000001.sdmp, watch[1].js.0.drfalse
                                                                                                    		high
                                                                                                    http://www.ucoz.com/privacy/%ynjw.exe, 00000000.00000002.936854078.000000000B80E000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://mc.yandex.md/ccnjw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, watch[1].js.0.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://www.all-bearings.narod.ru/.s/img/err/button.pngjnjw.exe, 00000000.00000003.754519394.000000000B7CE000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.all-bearings.narod.ru/secondpage.html...njw.exe, 00000000.00000002.932520416.00000000009F9000.00000004.00000020.sdmpfalse
                                                                                                          		high
                                                                                                          https://mc.yandex.pKnjw.exe, 00000000.00000003.756492906.0000000006831000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.all-bearings.narod.ru/firstpage.htmleoplenjw.exe, 00000000.00000003.754316994.000000000B7B1000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://counter.yadro.ru/hit;counter1?q;r;s1280njw.exe, 00000000.00000003.754332572.000000000B7CE000.00000004.00000001.sdmp, njw.exe, 00000000.00000002.935516918.0000000006AF2000.00000004.00000001.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.all-bearings.narod.ru/.s/img/err/button.png-cnjw.exe, 00000000.00000002.934975035.0000000006A40000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.all-bearings.narod.ru/.s/img/err/404-arrow.png$yEnjw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.all-bearings.narod.ru/secondpage.html-Aloudnjw.exe, 00000000.00000002.937283236.000000000BAF0000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://w3.onjw.exe, 00000000.00000002.934808825.00000000067D8000.00000004.00000001.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://www.remserviss.ruopennjw.exe, 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://www.all-bearings.narod.ru/firstpage.htmlU:njw.exe, 00000000.00000003.754245026.0000000006B19000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://top.ucoz.com/njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.936889233.000000000B821000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.all-bearings.narod.ru/.s/img/err/button.pngT8Tnjw.exe, 00000000.00000002.935383674.0000000006AAD000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://counter.yadro.ru/hit;counter1?r;s1280njw.exe, 00000000.00000002.935239138.0000000006A8C000.00000004.00000001.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.all-bearings.narod.ru/.s/img/err/404-logo.png$zEnjw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://forum.ucoz.com/r4rnjw.exe, 00000000.00000002.936889233.000000000B821000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://ucoz.com/register/n:njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://stats.g.doubleclick.net/j/collect?njw.exe, 00000000.00000002.936009031.000000000A063000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.751994283.00000000067C9000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.753243308.000000000680B000.00000004.00000001.sdmp, ga[1].js.0.drfalse
                                                                                                                                		high
                                                                                                                                http://www.all-bearings.narod.ru/firstpage.html4Enjw.exe, 00000000.00000002.940327666.000000000DF70000.00000004.00000010.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://www.all-bearings.narod.runjw.exefalse
                                                                                                                                    		high
                                                                                                                                    http://www.ucoz.com/tour/pxnjw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://www.remserviss.runjw.exefalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      http://www.all-bearings.narod.ru/.s/img/err/button.png&njw.exe, 00000000.00000003.754316994.000000000B7B1000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://www.all-bearings.narod.ru/.s/img/err/404-header-line.gif.dllnjw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://www.all-bearings.narod.ru/nnjw.exe, 00000000.00000002.935452329.0000000006ADC000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://book.ucoz.comnjw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://mc.yandex.md/ccPageView.njw.exe, 00000000.00000003.789755108.000000000F548000.00000004.00000001.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              http://www.all-bearings.narod.ru/.s/img/err/404-arrow.pngTDunjw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://iframe-toloka.com/njw.exe, 00000000.00000003.792685337.000000000F5D7000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.774568164.000000000E05A000.00000004.00000010.sdmp, njw.exe, 00000000.00000002.937010137.000000000B8DE000.00000004.00000001.sdmp, njw.exe, 00000000.00000003.756432489.000000000684E000.00000004.00000001.sdmp, watch[1].js.0.drfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://forum.ucoz.com/)njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://www.all-bearings.dnjw.exe, 00000000.00000002.935353424.0000000006AA7000.00000004.00000001.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://www.macromedia.com/support/flashplayer/sys/njw.exe, 00000000.00000002.938239805.000000000D9C0000.00000004.00000040.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://www.all-bearings.narod.ru/secondpage.htmlsnjw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://counter.yadro.ru/njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://mc.yandex.md/ccbanjw.exe, 00000000.00000003.756432489.000000000684E000.00000004.00000001.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.all-bearings.narod.ru/firstpage.html...njw.exe, 00000000.00000002.932520416.00000000009F9000.00000004.00000020.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://www.all-bearings.narod.ru/.s/img/err/404-logo.pngTzunjw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://twitter.com/k4ynjw.exe, 00000000.00000002.936889233.000000000B821000.00000004.00000001.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://www.all-bearings.njw.exe, 00000000.00000002.935398970.0000000006AB2000.00000004.00000001.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.all-bearings.narod.ru/secondpage.htmlng.pnge.gifE5njw.exe, 00000000.00000002.932312200.0000000000940000.00000004.00000020.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://forum.ucoz.com/njw.exe, 00000000.00000002.932537112.0000000000A0D000.00000004.00000020.sdmp, njw.exe, 00000000.00000002.932431127.000000000099B000.00000004.00000020.sdmpfalse
                                                                                                                                                                		high

                                                                                                                                                                Contacted IPs

                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                Public

                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                88.212.201.198
                                                                                                                                                                		counter.yadro.ruRussian Federation
                                                                                                                                                                		39134UNITEDNETRUfalse
                                                                                                                                                                87.250.251.119
                                                                                                                                                                		mc.yandex.ruRussian Federation
                                                                                                                                                                		13238YANDEXRUfalse
                                                                                                                                                                193.109.247.229
                                                                                                                                                                		www.all-bearings.narod.ruVirgin Islands (BRITISH)
                                                                                                                                                                		204343COMPUBYTE-ASRUfalse

                                                                                                                                                                General Information

                                                                                                                                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                                Analysis ID:511823
                                                                                                                                                                Start date:29.10.2021
                                                                                                                                                                Start time:17:49:38
                                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                                Overall analysis duration:0h 7m 6s
                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                Report type:full
                                                                                                                                                                Sample file name:njw.exe
                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                Number of analysed new started processes analysed:15
                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                Technologies:
                                                                                                                                                                • HCA enabled
                                                                                                                                                                • EGA enabled
                                                                                                                                                                • HDC enabled
                                                                                                                                                                • AMSI enabled
                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                Detection:MAL
                                                                                                                                                                Classification:mal60.spyw.winEXE@1/17@4/3
                                                                                                                                                                EGA Information:
                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                HDC Information:
                                                                                                                                                                • Successful, ratio: 5% (good quality ratio 4.6%)
                                                                                                                                                                • Quality average: 68.6%
                                                                                                                                                                • Quality standard deviation: 30.2%
                                                                                                                                                                HCA Information:Failed
                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                • Adjust boot time
                                                                                                                                                                • Enable AMSI
                                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                                Warnings:
                                                                                                                                                                Show All
                                                                                                                                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 23.211.6.115, 204.79.197.200, 13.107.21.200, 20.82.209.183, 142.250.203.110, 20.54.110.249, 40.91.112.76, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.82.210.154
                                                                                                                                                                • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, www.google-analytics.com, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                                                Simulations

                                                                                                                                                                Behavior and APIs

                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                17:51:14API Interceptor956x Sleep call for process: njw.exe modified

                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                IPs

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                88.212.201.198bEzxgfoo6O.rtfGet hashmaliciousBrowse
                                                                                                                                                                  http://3ladies.suGet hashmaliciousBrowse
                                                                                                                                                                    https://u.to/r9nvGQGet hashmaliciousBrowse
                                                                                                                                                                      http://videomytube.cfGet hashmaliciousBrowse
                                                                                                                                                                        https://u.to/ofqqGAGet hashmaliciousBrowse
                                                                                                                                                                          https://xurl.es/bz56kGet hashmaliciousBrowse
                                                                                                                                                                            https://u.to/MM3SFwGet hashmaliciousBrowse
                                                                                                                                                                              https://u.to/SBTlFgGet hashmaliciousBrowse
                                                                                                                                                                                https://u.to/JGK-FgGet hashmaliciousBrowse
                                                                                                                                                                                  https://u.to/YxOpFg&umid=a2728f18-d3ff-4aef-921f-5b5203212a15&auth=0bf7e98084f3624f56880a7a00d412c1d514f34b-95e09708099e407ce94156c8921315b6f95a718eGet hashmaliciousBrowse
                                                                                                                                                                                    87.250.251.119http://www.cennikiexcel.ruGet hashmaliciousBrowse
                                                                                                                                                                                    • mc.yandex.ru/metrika/watch.js
                                                                                                                                                                                    http://An-Crimea.ruGet hashmaliciousBrowse
                                                                                                                                                                                    • mc.yandex.ru/metrika/watch.js
                                                                                                                                                                                    http://./Documents/2019-01Get hashmaliciousBrowse
                                                                                                                                                                                    • mc.yandex.ru/metrika/watch.js

                                                                                                                                                                                    Domains

                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                    mc.yandex.ruOpen B024L128 .xhtmlGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    uFvG6DlSUpNCq_0a0Y3vNrYQ.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 93.158.134.119
                                                                                                                                                                                    MYUNG IN QUotation request.docxGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.119
                                                                                                                                                                                    t37BGZn2O1.msiGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.250.119
                                                                                                                                                                                    Elon Musk Site CI6501 .htmGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    Elon Musk Invite EZ2375 .htmGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.119
                                                                                                                                                                                    28jJSvNzXz.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    Elon Musk Club - 024705 .htmGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    Bonus Bitcoin - 065540 .htmGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.250.119
                                                                                                                                                                                    DriverPack-17-Online_749652650.1631058953__eqiqpdyx4midqk9.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.250.119
                                                                                                                                                                                    qB6P2WfUjb.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    IDWCH2.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 93.158.134.119
                                                                                                                                                                                    LJSFz5iuuf.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 93.158.134.119
                                                                                                                                                                                    OPEN AO-8820 .htmlGet hashmaliciousBrowse
                                                                                                                                                                                    • 93.158.134.119
                                                                                                                                                                                    DriverPack-17-Online_174007544.1629221836__itapkqvv6k3n1w8.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.250.119
                                                                                                                                                                                    lo3H2fUlKG.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    Setup.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    YWBLA3LR.htmGet hashmaliciousBrowse
                                                                                                                                                                                    • 93.158.134.119
                                                                                                                                                                                    J7yWiSGmFh.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.250.119
                                                                                                                                                                                    GIJ0V7s4DG.docGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.119
                                                                                                                                                                                    counter.yadro.ruElon Musk Club - 024705 .htmGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.204
                                                                                                                                                                                    Bonus Bitcoin - 065540 .htmGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.210
                                                                                                                                                                                    zw0w9vn3tl.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.216
                                                                                                                                                                                    bEzxgfoo6O.rtfGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    bEzxgfoo6O.rtfGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.204
                                                                                                                                                                                    iqKNGLP6PS.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.216
                                                                                                                                                                                    Ve8rhkTls5.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.216
                                                                                                                                                                                    dPWf8DPe5x.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.216
                                                                                                                                                                                    http://browsermine.comGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.210
                                                                                                                                                                                    https://bajashpna.site/Koyo-Oil-Seal-Cross-Reference-Chart/docGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.216
                                                                                                                                                                                    https://ofd.beeline.ru/check-order/oxjsoinmqGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.210
                                                                                                                                                                                    http://barddistocor.com/mozglue.dllGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.210
                                                                                                                                                                                    http://www.2926659.ru/Get hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.216
                                                                                                                                                                                    http://www.emergys.com.mxGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.216
                                                                                                                                                                                    https://xmastertrk.com:443Get hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.204
                                                                                                                                                                                    http://3ladies.suGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    https://loptrk.comGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.204
                                                                                                                                                                                    https://u.to/r9nvGQGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    https://pdfdocdownloadspanel.site/c6092ba97dfbd305a5bbf77d7de3d86e/Assurant-Trade-In-Value-Phone/doc/capxqjxzbjGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.216
                                                                                                                                                                                    https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://www.google.com/url?q%253Dhttps%25253A%25252F%25252Ffree-porno.site%25252Fsestra-porno-komiks-incest%2526sa%253DD%2526sntz%253D1%2526usg%253DAFQjCNH31NWj_BM8nKT1IECA8pWwYU8jkQ%26amp;sa%3DD%26amp;ust%3D1600094899031000%26amp;usg%3DAOvVaw07fZ2B1xkNEovI70NLM1Sd&sa=D&ust=1600094899044000&usg=AFQjCNFDsSWFDQJ9fjo9ZnFaOp1n4lUx9gGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.216

                                                                                                                                                                                    ASN

                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                    UNITEDNETRUzCS6X4TGYbGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.199.3
                                                                                                                                                                                    Elon Musk Club - 024705 .htmGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.204
                                                                                                                                                                                    Bonus Bitcoin - 065540 .htmGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.210
                                                                                                                                                                                    zw0w9vn3tl.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.216
                                                                                                                                                                                    bEzxgfoo6O.rtfGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    bEzxgfoo6O.rtfGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.204
                                                                                                                                                                                    iqKNGLP6PS.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.216
                                                                                                                                                                                    http://browsermine.comGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.210
                                                                                                                                                                                    https://bajashpna.site/Koyo-Oil-Seal-Cross-Reference-Chart/docGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.216
                                                                                                                                                                                    https://ofd.beeline.ru/check-order/oxjsoinmqGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.210
                                                                                                                                                                                    http://coronavir-novosti.ruGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.210
                                                                                                                                                                                    http://barddistocor.com/mozglue.dllGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.210
                                                                                                                                                                                    http://www.2926659.ru/Get hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.216
                                                                                                                                                                                    http://www.emergys.com.mxGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.216
                                                                                                                                                                                    https://xmastertrk.com:443Get hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.204
                                                                                                                                                                                    http://3ladies.suGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    https://loptrk.comGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.204
                                                                                                                                                                                    https://u.to/r9nvGQGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://www.google.com/url?q%253Dhttps%25253A%25252F%25252Ffree-porno.site%25252Fsestra-porno-komiks-incest%2526sa%253DD%2526sntz%253D1%2526usg%253DAFQjCNH31NWj_BM8nKT1IECA8pWwYU8jkQ%26amp;sa%3DD%26amp;ust%3D1600094899031000%26amp;usg%3DAOvVaw07fZ2B1xkNEovI70NLM1Sd&sa=D&ust=1600094899044000&usg=AFQjCNFDsSWFDQJ9fjo9ZnFaOp1n4lUx9gGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.216
                                                                                                                                                                                    http://videomytube.cfGet hashmaliciousBrowse
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    YANDEXRUSecuriteInfo.com.Trojan.GenericKD.47272401.17364.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.158
                                                                                                                                                                                    SecuriteInfo.com.Gen.Variant.Nemesis.1785.13723.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.158
                                                                                                                                                                                    PO 407274.docGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.158
                                                                                                                                                                                    PO 407274.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.158
                                                                                                                                                                                    PO.08996.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.158
                                                                                                                                                                                    New Purchase Order.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.158
                                                                                                                                                                                    Swift USD PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.158
                                                                                                                                                                                    Open B024L128 .xhtmlGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    Payment PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.158
                                                                                                                                                                                    uFvG6DlSUpNCq_0a0Y3vNrYQ.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    MYUNG IN QUotation request.docxGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.119
                                                                                                                                                                                    kutipan langsung.14.10.2021.xlxs.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.158
                                                                                                                                                                                    SecuriteInfo.com.Suspicious.Win32.Save.a.20932.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.158
                                                                                                                                                                                    sora.x86Get hashmaliciousBrowse
                                                                                                                                                                                    • 95.108.149.15
                                                                                                                                                                                    sora.armGet hashmaliciousBrowse
                                                                                                                                                                                    • 100.43.91.162
                                                                                                                                                                                    Petikan segera.12.10.2021.xlxs.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.158
                                                                                                                                                                                    Purchase_Order_QBO6814_from_Salvona_Technologies.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.158
                                                                                                                                                                                    RFQ-117404.docGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.158
                                                                                                                                                                                    Petikan segera.08.10.2021.xlxs.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.158
                                                                                                                                                                                    t37BGZn2O1.msiGet hashmaliciousBrowse
                                                                                                                                                                                    • 77.88.21.119

                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                    37f463bf4616ecd445d4a1937da06e19jWuh2gZyOs.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    SEMqjw.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    New Fax Message from 120283803.htmlGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    fax45367876545678.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    gemfs.co.uk (1).htmlGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    instruction.dllGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    stash-9131480.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    oCN3rc0FzJ.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    cjzu7hTifh.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    e0PXyEbkUg.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    #Ud83d#Udd0a VM 9193407174.wav.htmlGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    PL5m30TFgh.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    Hgny9xwmj6.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    Pv9fSenm0V.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    stash-1675061873.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    stash-1822309505.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    stash-1817904387.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    stash-1675061873.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    Casting Invite.-06503_20211027.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198
                                                                                                                                                                                    0x000500000001abb1-152.exeGet hashmaliciousBrowse
                                                                                                                                                                                    • 87.250.251.119
                                                                                                                                                                                    • 88.212.201.198

                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                    No context

                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E5F0NRSV\www.all-bearings.narod[1].xml
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):13
                                                                                                                                                                                    Entropy (8bit):2.469670487371862
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:3:D90aKb:JFKb
                                                                                                                                                                                    MD5:C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
                                                                                                                                                                                    SHA1:35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
                                                                                                                                                                                    SHA-256:B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
                                                                                                                                                                                    SHA-512:6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                                    Preview: <root></root>
                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\404-arrow[1].png
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:PNG image data, 6 x 9, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):1169
                                                                                                                                                                                    Entropy (8bit):6.375857124482774
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:24:zS1he91Wwh82lYSKw7+H1V/uT3cyJ3V2r7hGQ9/9mekJ:MqQvnL8q1durJ3Gh5/Y5J
                                                                                                                                                                                    MD5:F491D002C601CED0C0BC19994B89CDDC
                                                                                                                                                                                    SHA1:65B26746EC3BF706DFED1CA6D81BEF6211D15FEF
                                                                                                                                                                                    SHA-256:BA146CE6FB6E788B50E02B45B72835450B513EC744B2F8DE1DD85589B42F8F05
                                                                                                                                                                                    SHA-512:0E96575D89DFDE823A577EAF6D4CB4EFAB56C37875B7E5955F7F9FF759B67805FF0013DEDC1C98A73616F7C55CEEBBD5222C0A1EF2F17A936CAE36425E129887
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                    Preview: .PNG........IHDR...............].....tEXtSoftware.Adobe ImageReadyq.e<...diTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9A714C550974E111987BC97C16A991C4" xmpMM:DocumentID="xmp.did:8F1EEDA87F2611E18D85EF20DD25A302" xmpMM:InstanceID="xmp.iid:8F1EEDA77F2611E18D85EF20DD25A302" xmp:CreatorTool="Adobe Photoshop CS4 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:92ED5C9A097FE111BC73B13FF08B8A3F" stRef:documentID="xmp.did:9A714C550974E111987BC97C16A991C4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...r....IDATx.b..t.r..G....g.b..f..aW8......w\........
                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\404[1].png
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:PNG image data, 155 x 66, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):4451
                                                                                                                                                                                    Entropy (8bit):7.815188084249031
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:48:mqQvnL8QsrJ3GhrwUC5CY1s7P5ShGRQvQCfCWzSWAnXmeQkzkCgDoSbKVRVbGeLG:XQoL0hrYg9yXvjdSWAWeQlFCXukVaa16
                                                                                                                                                                                    MD5:9684186972F20E829835912A9FF55F3A
                                                                                                                                                                                    SHA1:ACA5BF4DE51319525F1DB749DC0825CA8E1C06C1
                                                                                                                                                                                    SHA-256:389267599E2B30CDA3F0091BCDAA856C39E38543038A52955EBA5B048E915742
                                                                                                                                                                                    SHA-512:31BBD89B9801E09EA5BFA25FDA51FFFDD765C8BEA4BD7FFC80C89750220F99AC35616BDB8146044F69E948424468C3E8691871D6AA2E5C0C27730BFC6AE8AED0
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                    Preview: .PNG........IHDR.......B.....@P.k....tEXtSoftware.Adobe ImageReadyq.e<...diTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9A714C550974E111987BC97C16A991C4" xmpMM:DocumentID="xmp.did:A2E971A17F2C11E19D72841B70F96071" xmpMM:InstanceID="xmp.iid:A2E971A07F2C11E19D72841B70F96071" xmp:CreatorTool="Adobe Photoshop CS4 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:92ED5C9A097FE111BC73B13FF08B8A3F" stRef:documentID="xmp.did:9A714C550974E111987BC97C16A991C4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>*N.....IDATx..].r...........f...[..*.<@..G.....J...V
                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ga[1].js
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:ASCII text, with very long lines
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):46274
                                                                                                                                                                                    Entropy (8bit):5.48786904450865
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:768:aqNVrKn0VGhn+K7U1r2p/Y60fyy3/g3OMZht1z1prkfw1+9NZ5VA:RHrLVGhnpIwp/Y7cnz1RkLL5m
                                                                                                                                                                                    MD5:E9372F0EBBCF71F851E3D321EF2A8E5A
                                                                                                                                                                                    SHA1:2C7D19D1AF7D97085C977D1B69DCB8B84483D87C
                                                                                                                                                                                    SHA-256:1259EA99BD76596239BFD3102C679EB0A5052578DC526B0452F4D42F8BCDD45F
                                                                                                                                                                                    SHA-512:C3A1C74AC968FC2FA366D9C25442162773DB9AF1289ADFB165FC71E7750A7E62BD22F424F241730F3C2427AFFF8A540C214B3B97219A360A231D4875E6DDEE6F
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                                    Preview: (function(){var E;var g=window,n=document,p=function(a){var b=g._gaUserPrefs;if(b&&b.ioo&&b.ioo()||a&&!0===g["ga-disable-"+a])return!0;try{var c=g.external;if(c&&c._gaUserPrefs&&"oo"==c._gaUserPrefs)return!0}catch(f){}a=[];b=n.cookie.split(";");c=/^\s*AMP_TOKEN=\s*(.*?)\s*$/;for(var d=0;d<b.length;d++){var e=b[d].match(c);e&&a.push(e[1])}for(b=0;b<a.length;b++)if("$OPT_OUT"==decodeURIComponent(a[b]))return!0;return!1};var q=function(a){return encodeURIComponent?encodeURIComponent(a).replace(/\(/g,"%28").replace(/\)/g,"%29"):a},r=/^(www\.)?google(\.com?)?(\.[a-z]{2})?$/,u=/(^|\.)doubleclick\.net$/i;function Aa(a,b){switch(b){case 0:return""+a;case 1:return 1*a;case 2:return!!a;case 3:return 1E3*a}return a}function Ba(a){return"function"==typeof a}function Ca(a){return void 0!=a&&-1<(a.constructor+"").indexOf("String")}function F(a,b){return void 0==a||"-"==a&&!b||""==a}function Da(a){if(!a||""==a)return"";for(;a&&-1<" \n\r\t".indexOf(a.charAt(0));)a=a.substring(1);for(;a&&-1<" \n\r\t".i
                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ga[2].js
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:ASCII text, with very long lines
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):46274
                                                                                                                                                                                    Entropy (8bit):5.48786904450865
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:768:aqNVrKn0VGhn+K7U1r2p/Y60fyy3/g3OMZht1z1prkfw1+9NZ5VA:RHrLVGhnpIwp/Y7cnz1RkLL5m
                                                                                                                                                                                    MD5:E9372F0EBBCF71F851E3D321EF2A8E5A
                                                                                                                                                                                    SHA1:2C7D19D1AF7D97085C977D1B69DCB8B84483D87C
                                                                                                                                                                                    SHA-256:1259EA99BD76596239BFD3102C679EB0A5052578DC526B0452F4D42F8BCDD45F
                                                                                                                                                                                    SHA-512:C3A1C74AC968FC2FA366D9C25442162773DB9AF1289ADFB165FC71E7750A7E62BD22F424F241730F3C2427AFFF8A540C214B3B97219A360A231D4875E6DDEE6F
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                                    Preview: (function(){var E;var g=window,n=document,p=function(a){var b=g._gaUserPrefs;if(b&&b.ioo&&b.ioo()||a&&!0===g["ga-disable-"+a])return!0;try{var c=g.external;if(c&&c._gaUserPrefs&&"oo"==c._gaUserPrefs)return!0}catch(f){}a=[];b=n.cookie.split(";");c=/^\s*AMP_TOKEN=\s*(.*?)\s*$/;for(var d=0;d<b.length;d++){var e=b[d].match(c);e&&a.push(e[1])}for(b=0;b<a.length;b++)if("$OPT_OUT"==decodeURIComponent(a[b]))return!0;return!1};var q=function(a){return encodeURIComponent?encodeURIComponent(a).replace(/\(/g,"%28").replace(/\)/g,"%29"):a},r=/^(www\.)?google(\.com?)?(\.[a-z]{2})?$/,u=/(^|\.)doubleclick\.net$/i;function Aa(a,b){switch(b){case 0:return""+a;case 1:return 1*a;case 2:return!!a;case 3:return 1E3*a}return a}function Ba(a){return"function"==typeof a}function Ca(a){return void 0!=a&&-1<(a.constructor+"").indexOf("String")}function F(a,b){return void 0==a||"-"==a&&!b||""==a}function Da(a){if(!a||""==a)return"";for(;a&&-1<" \n\r\t".indexOf(a.charAt(0));)a=a.substring(1);for(;a&&-1<" \n\r\t".i
                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\advert[1].gif
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:GIF image data, version 89a, 1 x 1
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):43
                                                                                                                                                                                    Entropy (8bit):2.7374910194847146
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:3:CU9yltxlHh/:m/
                                                                                                                                                                                    MD5:DF3E567D6F16D040326C7A0EA29A4F41
                                                                                                                                                                                    SHA1:EA7DF583983133B62712B5E73BFFBCD45CC53736
                                                                                                                                                                                    SHA-256:548F2D6F4D0D820C6C5FFBEFFCBD7F0E73193E2932EEFE542ACCC84762DEEC87
                                                                                                                                                                                    SHA-512:B2CA25A3311DC42942E046EB1A27038B71D689925B7D6B3EBB4D7CD2C7B9A0C7DE3D10175790AC060DC3F8ACF3C1708C336626BE06879097F4D0ECAA7F567041
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                                    Preview: GIF89a.............!.......,...........D..;
                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\404-arrow[1].png
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:PNG image data, 6 x 9, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):1169
                                                                                                                                                                                    Entropy (8bit):6.375857124482774
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:24:zS1he91Wwh82lYSKw7+H1V/uT3cyJ3V2r7hGQ9/9mekJ:MqQvnL8q1durJ3Gh5/Y5J
                                                                                                                                                                                    MD5:F491D002C601CED0C0BC19994B89CDDC
                                                                                                                                                                                    SHA1:65B26746EC3BF706DFED1CA6D81BEF6211D15FEF
                                                                                                                                                                                    SHA-256:BA146CE6FB6E788B50E02B45B72835450B513EC744B2F8DE1DD85589B42F8F05
                                                                                                                                                                                    SHA-512:0E96575D89DFDE823A577EAF6D4CB4EFAB56C37875B7E5955F7F9FF759B67805FF0013DEDC1C98A73616F7C55CEEBBD5222C0A1EF2F17A936CAE36425E129887
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview: .PNG........IHDR...............].....tEXtSoftware.Adobe ImageReadyq.e<...diTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9A714C550974E111987BC97C16A991C4" xmpMM:DocumentID="xmp.did:8F1EEDA87F2611E18D85EF20DD25A302" xmpMM:InstanceID="xmp.iid:8F1EEDA77F2611E18D85EF20DD25A302" xmp:CreatorTool="Adobe Photoshop CS4 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:92ED5C9A097FE111BC73B13FF08B8A3F" stRef:documentID="xmp.did:9A714C550974E111987BC97C16A991C4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...r....IDATx.b..t.r..G....g.b..f..aW8......w\........
                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\404-header-line[1].gif
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:GIF image data, version 89a, 1 x 1
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):1161
                                                                                                                                                                                    Entropy (8bit):6.66123176440527
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:24:4al1he91Wwh82lYSKw7+AVRT3cyJ3V2r7hGY8D:RqQvnL8rjrJ3GhL8D
                                                                                                                                                                                    MD5:5B4E842D2F840996ECB19B6AE635E873
                                                                                                                                                                                    SHA1:EE82D94636E4393AAF6E97931793975950A82CA6
                                                                                                                                                                                    SHA-256:AC9C14376FAC0CD59069AEEF8D7667E6A85DAD3BA0379DC2A6026A20DB18DF1A
                                                                                                                                                                                    SHA-512:8E0061925AF72421F8F003F22FC51D284B7F97FBCA3D4A5525CB3411485946CC0738066AE0A88B9D2BA8C4252DB20A69F64E9748BE03FF97AAB7EE2347C4A88D
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview: GIF89a.............!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9A714C550974E111987BC97C16A991C4" xmpMM:DocumentID="xmp.did:4C014FE07F2611E19F57DEAD3C227423" xmpMM:InstanceID="xmp.iid:4C014FDF7F2611E19F57DEAD3C227423" xmp:CreatorTool="Adobe Photoshop CS4 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:92ED5C9A097FE111BC73B13FF08B8A3F" stRef:documentID="xmp.did:9A714C550974E111987BC97C16A991C4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.........................................................................................................................
                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\404-header-line[2].gif
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:GIF image data, version 89a, 1 x 1
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):1161
                                                                                                                                                                                    Entropy (8bit):6.66123176440527
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:24:4al1he91Wwh82lYSKw7+AVRT3cyJ3V2r7hGY8D:RqQvnL8rjrJ3GhL8D
                                                                                                                                                                                    MD5:5B4E842D2F840996ECB19B6AE635E873
                                                                                                                                                                                    SHA1:EE82D94636E4393AAF6E97931793975950A82CA6
                                                                                                                                                                                    SHA-256:AC9C14376FAC0CD59069AEEF8D7667E6A85DAD3BA0379DC2A6026A20DB18DF1A
                                                                                                                                                                                    SHA-512:8E0061925AF72421F8F003F22FC51D284B7F97FBCA3D4A5525CB3411485946CC0738066AE0A88B9D2BA8C4252DB20A69F64E9748BE03FF97AAB7EE2347C4A88D
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview: GIF89a.............!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9A714C550974E111987BC97C16A991C4" xmpMM:DocumentID="xmp.did:4C014FE07F2611E19F57DEAD3C227423" xmpMM:InstanceID="xmp.iid:4C014FDF7F2611E19F57DEAD3C227423" xmp:CreatorTool="Adobe Photoshop CS4 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:92ED5C9A097FE111BC73B13FF08B8A3F" stRef:documentID="xmp.did:9A714C550974E111987BC97C16A991C4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.........................................................................................................................
                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\404-logo[1].png
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:PNG image data, 43 x 27, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):2152
                                                                                                                                                                                    Entropy (8bit):7.4508196985650255
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:48:4wqQvnL8HZ3rJ3Gh0NNeqNwzja90uVfAZO6UE:4BQot0h0rSja90uFAhP
                                                                                                                                                                                    MD5:62A569EF932D3AA5B44BBC515DF09653
                                                                                                                                                                                    SHA1:E910390D6A312FA9F4B222AEEA3226C1F7EA7FA0
                                                                                                                                                                                    SHA-256:0945354CAD56584EB978AFC9800BC9BD8D24DF25FBFE063573A0511AF5138E8B
                                                                                                                                                                                    SHA-512:5FD5A2236ACF1E1BB72A12C74FB00C6FB8A3B8D084F513867EA8FAAC1E76027A7CE342A0054B0F873440B7B083551A218324012E021EE343F2FC0CDE03DF94F5
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview: .PNG........IHDR...+..........'vm....tEXtSoftware.Adobe ImageReadyq.e<...diTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9A714C550974E111987BC97C16A991C4" xmpMM:DocumentID="xmp.did:6A7BBACF7F2611E19F01EE589B08C430" xmpMM:InstanceID="xmp.iid:6A7BBACE7F2611E19F01EE589B08C430" xmp:CreatorTool="Adobe Photoshop CS4 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:92ED5C9A097FE111BC73B13FF08B8A3F" stRef:documentID="xmp.did:9A714C550974E111987BC97C16A991C4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.O.....IDATx..{lTE....EZjC....j..h.....b..!b*/.c...W
                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\404-logo[2].png
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:PNG image data, 43 x 27, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):2152
                                                                                                                                                                                    Entropy (8bit):7.4508196985650255
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:48:4wqQvnL8HZ3rJ3Gh0NNeqNwzja90uVfAZO6UE:4BQot0h0rSja90uFAhP
                                                                                                                                                                                    MD5:62A569EF932D3AA5B44BBC515DF09653
                                                                                                                                                                                    SHA1:E910390D6A312FA9F4B222AEEA3226C1F7EA7FA0
                                                                                                                                                                                    SHA-256:0945354CAD56584EB978AFC9800BC9BD8D24DF25FBFE063573A0511AF5138E8B
                                                                                                                                                                                    SHA-512:5FD5A2236ACF1E1BB72A12C74FB00C6FB8A3B8D084F513867EA8FAAC1E76027A7CE342A0054B0F873440B7B083551A218324012E021EE343F2FC0CDE03DF94F5
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview: .PNG........IHDR...+..........'vm....tEXtSoftware.Adobe ImageReadyq.e<...diTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9A714C550974E111987BC97C16A991C4" xmpMM:DocumentID="xmp.did:6A7BBACF7F2611E19F01EE589B08C430" xmpMM:InstanceID="xmp.iid:6A7BBACE7F2611E19F01EE589B08C430" xmp:CreatorTool="Adobe Photoshop CS4 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:92ED5C9A097FE111BC73B13FF08B8A3F" stRef:documentID="xmp.did:9A714C550974E111987BC97C16A991C4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.O.....IDATx..{lTE....EZjC....j..h.....b..!b*/.c...W
                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\404[1].png
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:PNG image data, 155 x 66, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):4451
                                                                                                                                                                                    Entropy (8bit):7.815188084249031
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:48:mqQvnL8QsrJ3GhrwUC5CY1s7P5ShGRQvQCfCWzSWAnXmeQkzkCgDoSbKVRVbGeLG:XQoL0hrYg9yXvjdSWAWeQlFCXukVaa16
                                                                                                                                                                                    MD5:9684186972F20E829835912A9FF55F3A
                                                                                                                                                                                    SHA1:ACA5BF4DE51319525F1DB749DC0825CA8E1C06C1
                                                                                                                                                                                    SHA-256:389267599E2B30CDA3F0091BCDAA856C39E38543038A52955EBA5B048E915742
                                                                                                                                                                                    SHA-512:31BBD89B9801E09EA5BFA25FDA51FFFDD765C8BEA4BD7FFC80C89750220F99AC35616BDB8146044F69E948424468C3E8691871D6AA2E5C0C27730BFC6AE8AED0
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview: .PNG........IHDR.......B.....@P.k....tEXtSoftware.Adobe ImageReadyq.e<...diTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9A714C550974E111987BC97C16A991C4" xmpMM:DocumentID="xmp.did:A2E971A17F2C11E19D72841B70F96071" xmpMM:InstanceID="xmp.iid:A2E971A07F2C11E19D72841B70F96071" xmp:CreatorTool="Adobe Photoshop CS4 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:92ED5C9A097FE111BC73B13FF08B8A3F" stRef:documentID="xmp.did:9A714C550974E111987BC97C16A991C4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>*N.....IDATx..].r...........f...[..*.<@..G.....J...V
                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\button[2].png
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:PNG image data, 1 x 20, 8-bit/color RGB, non-interlaced
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):1036
                                                                                                                                                                                    Entropy (8bit):6.003417494129505
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:24:PQJ1he91Wwh82lYSKw7+AzVvT3cyJ3V2r7hGAOK7:qqQvnL83RrJ3GhOQ
                                                                                                                                                                                    MD5:20ECCCF80B7CCE904C2EE06F65007306
                                                                                                                                                                                    SHA1:951474262705F3D4C58E3E937DAF03A9D0BFC7FA
                                                                                                                                                                                    SHA-256:DB06224375A1362DE84DA041DB7BD476C60267D1E7D24A8569F967CE0C07EF05
                                                                                                                                                                                    SHA-512:692DDE2E59BBB0DE8411E46787DDCDE95156F0E15994219194105CFE3CBDA9A666FAC512DD059297BD5560B6117D0D15DFCC657A431187161F887A525821AE9F
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview: .PNG........IHDR..............l......tEXtSoftware.Adobe ImageReadyq.e<...diTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9A714C550974E111987BC97C16A991C4" xmpMM:DocumentID="xmp.did:3331FF467FCD11E18838E5F708B7572B" xmpMM:InstanceID="xmp.iid:3331FF457FCD11E18838E5F708B7572B" xmp:CreatorTool="Adobe Photoshop CS4 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:92ED5C9A097FE111BC73B13FF08B8A3F" stRef:documentID="xmp.did:9A714C550974E111987BC97C16A991C4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..L....>IDATx.l....!.....KS...P"..70.{.*.9..L".....;
                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\watch[1].js
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:UTF-8 Unicode (with BOM) text, with very long lines
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):132911
                                                                                                                                                                                    Entropy (8bit):5.575537014376501
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:1536:gSYWWEU3rdOKg7spQAFdmxdoxUxZ2mCeEo/sS8r7kuuDvWvzODHIbkZUQ1mOTMnF:g5WWboAnmxYztM4cMpNO5K
                                                                                                                                                                                    MD5:ECA5C7083EF9B406373D0C3399A909DF
                                                                                                                                                                                    SHA1:186F214942A03FAEBAEE065A9AD6C44509FD595C
                                                                                                                                                                                    SHA-256:D583F0408C31E539635F93EA833DA6D7FFF4707B3B17679A16B16FD24D639864
                                                                                                                                                                                    SHA-512:4B63B57801F39D330626588816E5550619EDE8611E1CB22013EA8DB79BA6F643383BB69D57D0168BD2946F7B88DA048E60719B2E7648D201643DF5094DDB5059
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview: .(function(){try{(function(Jc){function Hi(a){return a.replace(Ii,function(b,c,d,e){return""+c+e})}function Kc(a,b){if(!b)return!1;var c=M(a);return(new RegExp(b)).test(""+c.pathname+c.hash+c.search)}function Ji(a,b){return Da(a,b,function(c){var d=n(c,"settings.dr");return{rc:Ki(a,d),isEnabled:n(c,"settings.auto_goals")}})}function Li(a,b){function c(){var m=l+"0",p=l+"1";h[m]?h[p]?(l=l.slice(0,-1),--k):(g[p]=e(8),h[p]=1):(g[m]=e(8),h[m]=1)}function d(){var m=l+"1";h[l+"0"]?h[m]?(l=l.slice(0,-1),--k):(l+="1",.h[l]=1):(l+="0",h[l]=1)}function e(m){void 0===m&&(m=1);var p=f.slice(k,k+m);k+=m;return p}for(var f=Ye(a,b,""),g={},h={},k=1,l="";k<f.length-1;)("0"===e()?d:c)();return g}function Mi(a,b,c,d,e){c=Dd(a,a.document.body,c);d=Dd(a,a.document.body,d);N(e.target,[c,d])&&Ed(a,b)}function Ze(a,b,c,d){(c=Ni(a,d,c))&&Ed(a,b,c)}function $e(a,b){var c=af(a,b);return Oi(a,c)}function af(a,b){var c=Dd(a,a.document.body,b);return c?Pi(a,c):""}function Ed(a,b,c){(b=Ea(a,b))&&b.params(cc(["__y
                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\watch[2].js
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:UTF-8 Unicode (with BOM) text, with very long lines
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):132911
                                                                                                                                                                                    Entropy (8bit):5.575537014376501
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:1536:gSYWWEU3rdOKg7spQAFdmxdoxUxZ2mCeEo/sS8r7kuuDvWvzODHIbkZUQ1mOTMnF:g5WWboAnmxYztM4cMpNO5K
                                                                                                                                                                                    MD5:ECA5C7083EF9B406373D0C3399A909DF
                                                                                                                                                                                    SHA1:186F214942A03FAEBAEE065A9AD6C44509FD595C
                                                                                                                                                                                    SHA-256:D583F0408C31E539635F93EA833DA6D7FFF4707B3B17679A16B16FD24D639864
                                                                                                                                                                                    SHA-512:4B63B57801F39D330626588816E5550619EDE8611E1CB22013EA8DB79BA6F643383BB69D57D0168BD2946F7B88DA048E60719B2E7648D201643DF5094DDB5059
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview: .(function(){try{(function(Jc){function Hi(a){return a.replace(Ii,function(b,c,d,e){return""+c+e})}function Kc(a,b){if(!b)return!1;var c=M(a);return(new RegExp(b)).test(""+c.pathname+c.hash+c.search)}function Ji(a,b){return Da(a,b,function(c){var d=n(c,"settings.dr");return{rc:Ki(a,d),isEnabled:n(c,"settings.auto_goals")}})}function Li(a,b){function c(){var m=l+"0",p=l+"1";h[m]?h[p]?(l=l.slice(0,-1),--k):(g[p]=e(8),h[p]=1):(g[m]=e(8),h[m]=1)}function d(){var m=l+"1";h[l+"0"]?h[m]?(l=l.slice(0,-1),--k):(l+="1",.h[l]=1):(l+="0",h[l]=1)}function e(m){void 0===m&&(m=1);var p=f.slice(k,k+m);k+=m;return p}for(var f=Ye(a,b,""),g={},h={},k=1,l="";k<f.length-1;)("0"===e()?d:c)();return g}function Mi(a,b,c,d,e){c=Dd(a,a.document.body,c);d=Dd(a,a.document.body,d);N(e.target,[c,d])&&Ed(a,b)}function Ze(a,b,c,d){(c=Ni(a,d,c))&&Ed(a,b,c)}function $e(a,b){var c=af(a,b);return Oi(a,c)}function af(a,b){var c=Dd(a,a.document.body,b);return c?Pi(a,c):""}function Ed(a,b,c){(b=Ea(a,b))&&b.params(cc(["__y
                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\advert[1].gif
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:GIF image data, version 89a, 1 x 1
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):43
                                                                                                                                                                                    Entropy (8bit):2.7374910194847146
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:3:CU9yltxlHh/:m/
                                                                                                                                                                                    MD5:DF3E567D6F16D040326C7A0EA29A4F41
                                                                                                                                                                                    SHA1:EA7DF583983133B62712B5E73BFFBCD45CC53736
                                                                                                                                                                                    SHA-256:548F2D6F4D0D820C6C5FFBEFFCBD7F0E73193E2932EEFE542ACCC84762DEEC87
                                                                                                                                                                                    SHA-512:B2CA25A3311DC42942E046EB1A27038B71D689925B7D6B3EBB4D7CD2C7B9A0C7DE3D10175790AC060DC3F8ACF3C1708C336626BE06879097F4D0ECAA7F567041
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview: GIF89a.............!.......,...........D..;
                                                                                                                                                                                    C:\Users\user\Desktop\bugreport.txt
                                                                                                                                                                                    Process:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):18164
                                                                                                                                                                                    Entropy (8bit):4.9882772544962215
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:384:f9rMWwQN3CxK+8T6zPtw1c5bgrwuBG5bgqO4pPQCAK3JEaKmI6xYVGnbYWEdOaCN:JwQN3Cg+8T6zPu1c5bgrwuBG5bgqO4pZ
                                                                                                                                                                                    MD5:C1757ECB255B635D6BA341EF72AF480D
                                                                                                                                                                                    SHA1:87D16FC44477F4F06640B02D27674BBD228614CA
                                                                                                                                                                                    SHA-256:7A96B64D191CF08F88C8C21DAE04C0A925E7893D8919BD94CCD14AA7527963AC
                                                                                                                                                                                    SHA-512:2005270175A3C936A9AB9D17265AAF63C629287ED634E581E0F9DA56200174401B31DC3D03EBBF0A7F44CA20C322A2B62AA4E3257863D274A32F5434EFA64E0D
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview: date/time : 2021-10-29, 17:51:08, 31ms..computer name : 114127..user name : user <admin>..operating system : Windows NT New build 9200..system language : English..system up time : 1 hour 43 minutes..program up time : 5 seconds..processors : 2x Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..physical memory : 2743/8191 MB (free/total)..free disk space : (C:) 79.99 GB..display mode : 1280x1024, 32 bit..process id : $1bd0..allocated memory : 39.16 MB..executable : njw.exe..exec. date/time : 2021-10-29 17:50..madExcept version : 3.0b..callstack crc : $1a0983a1, $6b1df792, $6b1df792..exception number : 1..exception class : EDatabaseError..exception message : Cannot open file bearingdb.tdb.....main thread ($1bd4):..004ca780 +074 njw.exe DB DatabaseError..004ca7e9 +031 njw.exe DB DatabaseErrorFmt..004f0e72 +06e njw.exe TinyDB 6042 +9 TTinyDBFileIO.Open..004f79ba +07e njw.exe

                                                                                                                                                                                    Static File Info

                                                                                                                                                                                    General

                                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                    Entropy (8bit):7.935591299650064
                                                                                                                                                                                    TrID:
                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.81%
                                                                                                                                                                                    • Windows Screen Saver (13104/52) 0.13%
                                                                                                                                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                    File name:njw.exe
                                                                                                                                                                                    File size:1694802
                                                                                                                                                                                    MD5:3f91f84924d1db7ace9ad307fcae35d1
                                                                                                                                                                                    SHA1:50e790e2b3324c1b3805916c5a3c323ed8a7305f
                                                                                                                                                                                    SHA256:a0254e8580186ca146fcc6082a6110888ac0cc3c7f733e760ad7a655bd2a0503
                                                                                                                                                                                    SHA512:fda6aeccba43b923567ca1e662f31526a5458dc74df356f077116b0a6300f2e7ac0ce3af8ae81a18064048279c1a231d94c2f5a6c66e5dd210363e6bcf734218
                                                                                                                                                                                    SSDEEP:49152:iOv9gx8KFwoDGqqO3XG00ASL6/PaSm9eMqDsnF0v:i8GxP+qquXGtLsXaeMqDUF2
                                                                                                                                                                                    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                                                    File Icon

                                                                                                                                                                                    Icon Hash:6860d1e434cc7c80

                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                    General

                                                                                                                                                                                    Entrypoint:0x68861c
                                                                                                                                                                                    Entrypoint Section:
                                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
                                                                                                                                                                                    DLL Characteristics:
                                                                                                                                                                                    Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                    OS Version Major:4
                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                    File Version Major:4
                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                    Import Hash:09240fdb1ba0c5773dfe515581b453b6

                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                    Instruction
                                                                                                                                                                                    pushad
                                                                                                                                                                                    call 00007FF550801894h
                                                                                                                                                                                    inc edx
                                                                                                                                                                                    outsd
                                                                                                                                                                                    stosb
                                                                                                                                                                                    adc eax, 1AB8D87Bh
                                                                                                                                                                                    add ah, dh
                                                                                                                                                                                    sbb ecx, dword ptr [eax+3Bh]
                                                                                                                                                                                    stosd
                                                                                                                                                                                    in eax, 2Eh
                                                                                                                                                                                    jc 00007FF55080180Eh
                                                                                                                                                                                    cmp dword ptr [edx+162584A0h], esi
                                                                                                                                                                                    int3
                                                                                                                                                                                    jno 00007FF55080186Fh
                                                                                                                                                                                    inc ebp
                                                                                                                                                                                    jne 00007FF5508017FDh
                                                                                                                                                                                    pop esp
                                                                                                                                                                                    xchg eax, esi
                                                                                                                                                                                    mov ch, 3Eh
                                                                                                                                                                                    sbb al, B8h
                                                                                                                                                                                    pop ebp
                                                                                                                                                                                    cmp dword ptr [ecx-6BF631BBh], edx
                                                                                                                                                                                    jc 00007FF550801859h
                                                                                                                                                                                    int1
                                                                                                                                                                                    inc ecx
                                                                                                                                                                                    mov al, byte ptr [2C11AFFAh]
                                                                                                                                                                                    dec esp
                                                                                                                                                                                    int1
                                                                                                                                                                                    inc ecx
                                                                                                                                                                                    mov al, byte ptr [2C11AFFAh]
                                                                                                                                                                                    dec esp
                                                                                                                                                                                    jmp 00007FF550804901h
                                                                                                                                                                                    jmp 00007FF550804915h
                                                                                                                                                                                    jmp 00007FF550804910h
                                                                                                                                                                                    call 00007FF55080178Fh
                                                                                                                                                                                    stc
                                                                                                                                                                                    outsb
                                                                                                                                                                                    salc
                                                                                                                                                                                    or byte ptr [edx+70h], bh
                                                                                                                                                                                    mov byte ptr [95782E22h], al
                                                                                                                                                                                    and edx, dword ptr [edx+2FFC7C9Ah]
                                                                                                                                                                                    or dword ptr [eax], esp
                                                                                                                                                                                    pop dword ptr [ebx]
                                                                                                                                                                                    mov ebx, B9CF5065h
                                                                                                                                                                                    push dword ptr [eax+0Ch]
                                                                                                                                                                                    stosd
                                                                                                                                                                                    cwde
                                                                                                                                                                                    test eax, 10F2044Eh
                                                                                                                                                                                    sti
                                                                                                                                                                                    xlatb
                                                                                                                                                                                    sti
                                                                                                                                                                                    adc eax, ebx
                                                                                                                                                                                    cmp byte ptr [ecx+2Ah], 0000001Ch
                                                                                                                                                                                    and eax, 06860821h
                                                                                                                                                                                    jnl 00007FF55080184Eh
                                                                                                                                                                                    cmp dword ptr [ebx], edx
                                                                                                                                                                                    mov esi, dword ptr [663AC317h]
                                                                                                                                                                                    jnl 00007FF5508017EAh
                                                                                                                                                                                    cmp al, 1Ah
                                                                                                                                                                                    cmp dword ptr [edi+4Eh], ecx
                                                                                                                                                                                    shr byte ptr [ebx], cl
                                                                                                                                                                                    lahf
                                                                                                                                                                                    dec byte ptr [ebp+6Ch]
                                                                                                                                                                                    cmp ebx, esi
                                                                                                                                                                                    cmp bh, dh
                                                                                                                                                                                    add al, D1h
                                                                                                                                                                                    cmc
                                                                                                                                                                                    imul ecx, dword ptr [edx+ebp*4], C6h
                                                                                                                                                                                    jne 00007FF55080181Eh
                                                                                                                                                                                    pop ebx
                                                                                                                                                                                    pushad
                                                                                                                                                                                    or byte ptr [ebx], bh
                                                                                                                                                                                    sub dl, byte ptr [eax-14h]
                                                                                                                                                                                    xchg eax, esi
                                                                                                                                                                                    movsd
                                                                                                                                                                                    xchg eax, ebx
                                                                                                                                                                                    sbb byte ptr [C14FCB1Fh], FFFFFF96h
                                                                                                                                                                                    and al, byte ptr [00000075h]

                                                                                                                                                                                    Data Directories

                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2937b00x50
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2370000x5061c
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x20f0000x18
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x2930000x128
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                    Sections

                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                    0x10000x1f8a340xf6200unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    0x1fa0000xba1c0x5a00False0.982118055556data7.98180899146IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    0x2060000x24890x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    0x2090000x32e20x1400False0.93984375data7.89313292742IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    0x20d0000x510x200False0.193359375data3.96131250875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    0x20e0000xf00x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    0x20f0000x180x200False0.048828125data0.19667565744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    0x2100000x26d280x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    0x2370000x5061c0x50800False0.749223602484data7.33188771893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    0x2880000xab9c0x7200False0.985094572368data7.97472353809IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    0x2930000xe2c0x1000False0.3603515625data4.53691628835IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    0x2940000x615a0x1400False1.0021484375data7.96644681101IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                    Resources

                                                                                                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                                                                                                    MAD0x239ba40x14data
                                                                                                                                                                                    MAD0x239bb80x31788data
                                                                                                                                                                                    RT_CURSOR0x26b3400x134data
                                                                                                                                                                                    RT_CURSOR0x26b4740x134data
                                                                                                                                                                                    RT_CURSOR0x26b5a80x134data
                                                                                                                                                                                    RT_CURSOR0x26b6dc0x134data
                                                                                                                                                                                    RT_CURSOR0x26b8100x134dataEnglishUnited States
                                                                                                                                                                                    RT_CURSOR0x26b9440x134data
                                                                                                                                                                                    RT_CURSOR0x26ba780x134data
                                                                                                                                                                                    RT_CURSOR0x26bbac0x134AmigaOS bitmap fontRussianRussia
                                                                                                                                                                                    RT_CURSOR0x26bce00x134dataEnglishUnited States
                                                                                                                                                                                    RT_CURSOR0x26be140x134dataEnglishUnited States
                                                                                                                                                                                    RT_CURSOR0x26bf480x134AmigaOS bitmap fontRussianRussia
                                                                                                                                                                                    RT_CURSOR0x26c07c0x134dataRussianRussia
                                                                                                                                                                                    RT_CURSOR0x26c1b00x134dataRussianRussia
                                                                                                                                                                                    RT_CURSOR0x26c2e40x134dataRussianRussia
                                                                                                                                                                                    RT_CURSOR0x26c4180x134AmigaOS bitmap fontRussianRussia
                                                                                                                                                                                    RT_CURSOR0x26c54c0x134dataEnglishUnited States
                                                                                                                                                                                    RT_CURSOR0x26c6800x134AmigaOS bitmap fontRussianRussia
                                                                                                                                                                                    RT_CURSOR0x26c7b40x134dataRussianRussia
                                                                                                                                                                                    RT_CURSOR0x26c8e80x134dataRussianRussia
                                                                                                                                                                                    RT_CURSOR0x26ca1c0x134AmigaOS bitmap fontRussianRussia
                                                                                                                                                                                    RT_CURSOR0x26cb500x134AmigaOS bitmap fontRussianRussia
                                                                                                                                                                                    RT_CURSOR0x26cc840x134AmigaOS bitmap font
                                                                                                                                                                                    RT_CURSOR0x26cdb80x134data
                                                                                                                                                                                    RT_CURSOR0x26ceec0x134data
                                                                                                                                                                                    RT_BITMAP0x26d0200x1d0data
                                                                                                                                                                                    RT_BITMAP0x26d1f00x1e4data
                                                                                                                                                                                    RT_BITMAP0x26d3d40x1d0data
                                                                                                                                                                                    RT_BITMAP0x26d5a40x1d0data
                                                                                                                                                                                    RT_BITMAP0x26d7740x1d0data
                                                                                                                                                                                    RT_BITMAP0x26d9440x1d0data
                                                                                                                                                                                    RT_BITMAP0x26db140x1d0data
                                                                                                                                                                                    RT_BITMAP0x26dce40x1d0data
                                                                                                                                                                                    RT_BITMAP0x26deb40x1d0data
                                                                                                                                                                                    RT_BITMAP0x26e0840x1d0data
                                                                                                                                                                                    RT_BITMAP0x26e2540xc0GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x26e3140xe0GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x26e3f40xe0GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x26e4d40x128dataEnglishUnited States
                                                                                                                                                                                    RT_BITMAP0x26e5fc0x128dataEnglishUnited States
                                                                                                                                                                                    RT_BITMAP0x26e7240x128dataEnglishUnited States
                                                                                                                                                                                    RT_BITMAP0x26e84c0x128dataEnglishUnited States
                                                                                                                                                                                    RT_BITMAP0x26e9740x128dataEnglishUnited States
                                                                                                                                                                                    RT_BITMAP0x26ea9c0x128dataEnglishUnited States
                                                                                                                                                                                    RT_BITMAP0x26ebc40x128dataEnglishUnited States
                                                                                                                                                                                    RT_BITMAP0x26ecec0x128dataEnglishUnited States
                                                                                                                                                                                    RT_BITMAP0x26ee140xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                                    RT_BITMAP0x26eefc0xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                                    RT_BITMAP0x26efe40xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                                    RT_BITMAP0x26f0cc0xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                                    RT_BITMAP0x26f1b40xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                                    RT_BITMAP0x26f29c0xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                                    RT_BITMAP0x26f3840x8cdata
                                                                                                                                                                                    RT_BITMAP0x26f4100x8cdata
                                                                                                                                                                                    RT_BITMAP0x26f49c0x238data
                                                                                                                                                                                    RT_BITMAP0x26f6d40x238data
                                                                                                                                                                                    RT_BITMAP0x26f90c0x8cdata
                                                                                                                                                                                    RT_BITMAP0x26f9980x8cdata
                                                                                                                                                                                    RT_BITMAP0x26fa240x8cdata
                                                                                                                                                                                    RT_BITMAP0x26fab00x238data
                                                                                                                                                                                    RT_BITMAP0x26fce80x5cdata
                                                                                                                                                                                    RT_BITMAP0x26fd440x5cdata
                                                                                                                                                                                    RT_BITMAP0x26fda00x5cdata
                                                                                                                                                                                    RT_BITMAP0x26fdfc0x5cdata
                                                                                                                                                                                    RT_BITMAP0x26fe580x5cdata
                                                                                                                                                                                    RT_BITMAP0x26feb40x138data
                                                                                                                                                                                    RT_BITMAP0x26ffec0x138data
                                                                                                                                                                                    RT_BITMAP0x2701240x138data
                                                                                                                                                                                    RT_BITMAP0x27025c0x138data
                                                                                                                                                                                    RT_BITMAP0x2703940x138data
                                                                                                                                                                                    RT_BITMAP0x2704cc0x138data
                                                                                                                                                                                    RT_BITMAP0x2706040x104data
                                                                                                                                                                                    RT_BITMAP0x2707080x138data
                                                                                                                                                                                    RT_BITMAP0x2708400x104data
                                                                                                                                                                                    RT_BITMAP0x2709440x138data
                                                                                                                                                                                    RT_BITMAP0x270a7c0xe0GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x270b5c0xc0GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x270c1c0xc0GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x270cdc0xe0GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x270dbc0x1028dBase IV DBT, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                                                                                                                                    RT_BITMAP0x271de40x428GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x27220c0x428GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x2726340x428GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x272a5c0x1028dBase IV DBT, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                                                                                                                                    RT_BITMAP0x273a840x428GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x273eac0x428GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x2742d40x428GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x2746fc0x428GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x274b240x1028dBase IV DBT, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                                                                                                                                    RT_BITMAP0x275b4c0x428GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x275f740xc0GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x2760340xe0GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x2761140xe8GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x2761fc0xc0GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_BITMAP0x2762bc0xe0GLS_BINARY_LSB_FIRST
                                                                                                                                                                                    RT_ICON0x27639c0x10a8dBase III DBT, version number 0, next free block index 40RussianRussia
                                                                                                                                                                                    RT_DIALOG0x2774440x52data
                                                                                                                                                                                    RT_STRING0x2774980x1d8data
                                                                                                                                                                                    RT_STRING0x2776700x2cdata
                                                                                                                                                                                    RT_STRING0x27769c0xb0data
                                                                                                                                                                                    RT_STRING0x27774c0x1f0data
                                                                                                                                                                                    RT_STRING0x27793c0x24cdata
                                                                                                                                                                                    RT_STRING0x277b880x1acdata
                                                                                                                                                                                    RT_STRING0x277d340x380data
                                                                                                                                                                                    RT_STRING0x2780b40x410data
                                                                                                                                                                                    RT_STRING0x2784c40x794data
                                                                                                                                                                                    RT_STRING0x278c580xf8data
                                                                                                                                                                                    RT_STRING0x278d500x128data
                                                                                                                                                                                    RT_STRING0x278e780x318data
                                                                                                                                                                                    RT_STRING0x2791900x2a4data
                                                                                                                                                                                    RT_STRING0x2794340x178data
                                                                                                                                                                                    RT_STRING0x2795ac0x1f4data
                                                                                                                                                                                    RT_STRING0x2797a00x450data
                                                                                                                                                                                    RT_STRING0x279bf00x4e0data
                                                                                                                                                                                    RT_STRING0x27a0d00x380data
                                                                                                                                                                                    RT_STRING0x27a4500x528data
                                                                                                                                                                                    RT_STRING0x27a9780x58cdata
                                                                                                                                                                                    RT_STRING0x27af040x478data
                                                                                                                                                                                    RT_STRING0x27b37c0x23cdata
                                                                                                                                                                                    RT_STRING0x27b5b80xd4data
                                                                                                                                                                                    RT_STRING0x27b68c0x110data
                                                                                                                                                                                    RT_STRING0x27b79c0x24cdata
                                                                                                                                                                                    RT_STRING0x27b9e80x414data
                                                                                                                                                                                    RT_STRING0x27bdfc0x3b4data
                                                                                                                                                                                    RT_STRING0x27c1b00x3a0data
                                                                                                                                                                                    RT_STRING0x27c5500x388data
                                                                                                                                                                                    RT_STRING0x27c8d80x234data
                                                                                                                                                                                    RT_STRING0x27cb0c0xecdata
                                                                                                                                                                                    RT_STRING0x27cbf80x1f0data
                                                                                                                                                                                    RT_STRING0x27cde80x41cdata
                                                                                                                                                                                    RT_STRING0x27d2040x378data
                                                                                                                                                                                    RT_STRING0x27d57c0x308data
                                                                                                                                                                                    RT_STRING0x27d8840x370data
                                                                                                                                                                                    RT_RCDATA0x27dbf40x10data
                                                                                                                                                                                    RT_RCDATA0x27dc040xa84data
                                                                                                                                                                                    RT_RCDATA0x27e6880x6fdDelphi compiled form 'TcxFilterDialog'
                                                                                                                                                                                    RT_RCDATA0x27ed880x772Delphi compiled form 'TfmFilterControlDialog'
                                                                                                                                                                                    RT_RCDATA0x27f4fc0x5be3Delphi compiled form 'TForm1'
                                                                                                                                                                                    RT_RCDATA0x2850e00x45cDelphi compiled form 'TForm2'
                                                                                                                                                                                    RT_RCDATA0x28553c0x41fDelphi compiled form 'TForm3'
                                                                                                                                                                                    RT_RCDATA0x28595c0x494Delphi compiled form 'TLoginDialog'
                                                                                                                                                                                    RT_RCDATA0x285df00xa57Delphi compiled form 'TMadExcept'
                                                                                                                                                                                    RT_RCDATA0x2868480x34eDelphi compiled form 'TMEContactForm'
                                                                                                                                                                                    RT_RCDATA0x286b980x228Delphi compiled form 'TMEDetailsForm'
                                                                                                                                                                                    RT_RCDATA0x286dc00x2a3Delphi compiled form 'TMEScrShotForm'
                                                                                                                                                                                    RT_RCDATA0x2870640x3c4Delphi compiled form 'TPasswordDialog'
                                                                                                                                                                                    RT_GROUP_CURSOR0x2874280x14data
                                                                                                                                                                                    RT_GROUP_CURSOR0x28743c0x14data
                                                                                                                                                                                    RT_GROUP_CURSOR0x2874500x14data
                                                                                                                                                                                    RT_GROUP_CURSOR0x2874640x14data
                                                                                                                                                                                    RT_GROUP_CURSOR0x2874780x14data
                                                                                                                                                                                    RT_GROUP_CURSOR0x28748c0x14data
                                                                                                                                                                                    RT_GROUP_CURSOR0x2874a00x14data
                                                                                                                                                                                    RT_GROUP_CURSOR0x2874b40x14data
                                                                                                                                                                                    RT_GROUP_CURSOR0x2874c80x14data
                                                                                                                                                                                    RT_GROUP_CURSOR0x2874dc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                                                                                                                                                                                    RT_GROUP_CURSOR0x2874f00x14data
                                                                                                                                                                                    RT_GROUP_CURSOR0x2875040x14data
                                                                                                                                                                                    RT_GROUP_CURSOR0x2875180x14data
                                                                                                                                                                                    RT_GROUP_CURSOR0x28752c0x14data
                                                                                                                                                                                    RT_GROUP_CURSOR0x2875400x14data
                                                                                                                                                                                    RT_GROUP_CURSOR0x2875540x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                                                                                                    RT_GROUP_CURSOR0x2875680x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                                                                                                    RT_GROUP_CURSOR0x28757c0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                                                                                                    RT_GROUP_CURSOR0x2875900x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                                                                                                    RT_GROUP_CURSOR0x2875a40x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                                                                                                    RT_GROUP_CURSOR0x2875b80x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                                                                                                    RT_GROUP_CURSOR0x2875cc0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                                                                                                    RT_GROUP_CURSOR0x2875e00x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                                                                                                    RT_GROUP_CURSOR0x2875f40x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                                                                                                    RT_GROUP_ICON0x2876080x14dataRussianRussia

                                                                                                                                                                                    Imports

                                                                                                                                                                                    DLLImport
                                                                                                                                                                                    KERNEL32.dllMapViewOfFile, CreateFileA, InitializeCriticalSection, GetProcAddress, GetCurrentProcess, LocalFree, RaiseException, LocalAlloc, GetVersionExA, TerminateProcess, Sleep, WaitForSingleObject, GetExitCodeProcess, LeaveCriticalSection, EnterCriticalSection, SetLastError, GetFullPathNameA, DeleteFileA, WriteFile, GetTempFileNameA, GetTempPathA, VirtualFree, VirtualProtect, SetFilePointer, VirtualAlloc, DuplicateHandle, ReadFile, CreateFileMappingA, GetFileSize, LoadLibraryA, FlushFileBuffers, FindNextFileA, GetModuleFileNameA, ResumeThread, WriteProcessMemory, GetCurrentProcessId, CreateProcessA, HeapAlloc, HeapCreate, HeapFree, FormatMessageA, GetLastError, SetUnhandledExceptionFilter, VirtualQuery, CreateFileW, WideCharToMultiByte, GetFileAttributesA, CreateFileMappingW, FreeLibrary, LoadLibraryW, GetModuleHandleW, ExitProcess, FindClose, UnmapViewOfFile, CloseHandle, GetModuleHandleA, GetFileTime, GetSystemTimeAsFileTime, FindFirstFileA, RtlUnwind
                                                                                                                                                                                    USER32.dllwvsprintfA, wsprintfA, ChangeDisplaySettingsA, MessageBoxA, CharUpperBuffA, LoadImageA
                                                                                                                                                                                    GDI32.dllAddFontResourceA, RemoveFontResourceA, DeleteDC, CreateDIBSection, CreateCompatibleDC

                                                                                                                                                                                    Possible Origin

                                                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                    EnglishUnited States
                                                                                                                                                                                    RussianRussia

                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                    10/29/21-17:51:14.924932ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8
                                                                                                                                                                                    10/29/21-17:51:15.851555TCP2925INFO web bug 0x0 gif attempt8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    10/29/21-17:51:16.067758TCP2925INFO web bug 0x0 gif attempt8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    10/29/21-17:51:16.429861TCP2925INFO web bug 0x0 gif attempt8049784142.250.203.110192.168.2.4
                                                                                                                                                                                    10/29/21-17:51:16.523030TCP2925INFO web bug 0x0 gif attempt8049784142.250.203.110192.168.2.4

                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                    Oct 29, 2021 17:51:14.912357092 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:14.912494898 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:14.978293896 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:14.979026079 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:14.979448080 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:14.979504108 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:14.979582071 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.015364885 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.045166969 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.045492887 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.045532942 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.045563936 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.045583963 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.045619011 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.045627117 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.082608938 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.082951069 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.082993984 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.083020926 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.083029985 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.083064079 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.083074093 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.365300894 CEST4978680192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.365367889 CEST4978780192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.383512020 CEST4978880192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.384476900 CEST4978980192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.422493935 CEST804978788.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.422600031 CEST4978780192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.424932003 CEST804978887.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.425023079 CEST4978880192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.425867081 CEST804978987.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.425956011 CEST4978980192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.426867962 CEST804978688.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.426937103 CEST4978680192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.440135956 CEST4978780192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.440211058 CEST4978880192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.440260887 CEST4978980192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.440336943 CEST4978680192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.481651068 CEST804978887.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.481686115 CEST804978987.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.481770992 CEST804978887.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.481829882 CEST4978880192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.482186079 CEST804978987.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.482260942 CEST4978980192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.496105909 CEST4978880192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.497661114 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.497730017 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.497819901 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.499608040 CEST804978788.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.499747038 CEST4978780192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.503304958 CEST804978688.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.503382921 CEST4978680192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.522010088 CEST4978980192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.523943901 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.524008989 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.524115086 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.540247917 CEST804978887.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.540335894 CEST4978880192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.551465988 CEST4978680192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.551891088 CEST4978780192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.556516886 CEST49792443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.556557894 CEST4434979288.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.556633949 CEST49792443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.560092926 CEST49793443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.560134888 CEST4434979388.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.560204983 CEST49793443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.564116001 CEST804978987.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.564204931 CEST4978980192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.567859888 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.567904949 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.568025112 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.568064928 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.568361998 CEST49792443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.568391085 CEST4434979288.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.568624973 CEST49793443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.568664074 CEST4434979388.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.609721899 CEST804978788.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.609771013 CEST804978788.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.609843016 CEST4978780192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.612982988 CEST804978688.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.613230944 CEST804978688.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.613354921 CEST4978680192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.666100025 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.666202068 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.667665958 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.667776108 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.759294987 CEST4434979288.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.759428024 CEST49792443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.769058943 CEST4434979388.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.769156933 CEST49793443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.785171032 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.785819054 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.851555109 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.851598978 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.851619005 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.851660967 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.852315903 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.852349997 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.852401018 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.852443933 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.858786106 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.859746933 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.925540924 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.925595999 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.925632954 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.925658941 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.925693989 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.925700903 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.925990105 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.926028013 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.926078081 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.926124096 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.932754993 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.933043003 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.992491007 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.992551088 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.992872953 CEST49792443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.992913008 CEST4434979288.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.993001938 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.993077040 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.993448019 CEST4434979288.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.993534088 CEST49792443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.995634079 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.996196032 CEST49792443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.998469114 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.998507023 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.998537064 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.998560905 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.998564959 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.998579979 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.998594999 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.998601913 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.998606920 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.998631001 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:15.999679089 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:15.999715090 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.999856949 CEST49793443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:15.999886036 CEST4434979388.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.000112057 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.000145912 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.000178099 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.000216007 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.000237942 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.000302076 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.000386953 CEST4434979388.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.000467062 CEST49793443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.001530886 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.001703024 CEST49793443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.002221107 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.003344059 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.036875963 CEST4434979288.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.036895037 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.039311886 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.039371967 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.039388895 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.039413929 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.039444923 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.039479017 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.044728994 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.044826031 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.044888020 CEST4434979388.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.044991016 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.045074940 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.055838108 CEST4434979288.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.055977106 CEST4434979288.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.056112051 CEST49792443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.057167053 CEST49792443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.057198048 CEST4434979288.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.059412956 CEST49794443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.059463024 CEST4434979488.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.059540033 CEST49794443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.060487986 CEST49794443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.060513020 CEST4434979488.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.064027071 CEST4434979388.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.064127922 CEST49793443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.064136982 CEST4434979388.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.064225912 CEST49793443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.064769983 CEST49793443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.064807892 CEST4434979388.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.067068100 CEST49795443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.067107916 CEST4434979588.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.067214012 CEST49795443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.067758083 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.067786932 CEST49795443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.067804098 CEST4434979588.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.067806005 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.067868948 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.068365097 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.070466995 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.070512056 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.070537090 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.070545912 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.070559978 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.070593119 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.070837975 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.074219942 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.081327915 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.081345081 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.081433058 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.081454039 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.081468105 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.081490040 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.081588984 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.081603050 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.081693888 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.081868887 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.081970930 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.081984043 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.082071066 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.082156897 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.082251072 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.082263947 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.082372904 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.086606979 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.086642981 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.086707115 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.086743116 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.086757898 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.086899042 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.086992025 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.087007999 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.087045908 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.087068081 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.087097883 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.087130070 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.087173939 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.087225914 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.087409973 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.087488890 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.087512016 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.087528944 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.087622881 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.124212027 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.124341965 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.124358892 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.124383926 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.124444962 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.124466896 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.124741077 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.124819040 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.124833107 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.124927998 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.125001907 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.125016928 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.125072002 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.125283003 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.125358105 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.125370979 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.125401020 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.125464916 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.125478029 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.125569105 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.128918886 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.129029989 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.129055977 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.129127979 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.129196882 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.129271984 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.129290104 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.129332066 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.129447937 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.129524946 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.129539967 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.129586935 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.129609108 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.129688025 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.129699945 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.129748106 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.130562067 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.130664110 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.130680084 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.130732059 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.130825996 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.130903959 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.130919933 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.130973101 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.136607885 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.136655092 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.136683941 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.136724949 CEST4978280192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.141700029 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.141743898 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.141783953 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.141824007 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.141838074 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.141855001 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.141875982 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.141882896 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.141887903 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.141902924 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:16.167511940 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.167632103 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.167659044 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.167681932 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.167711973 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.167732000 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.167871952 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.167949915 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.167963982 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.168265104 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.168353081 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.168368101 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.168632030 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.168719053 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.168723106 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.168741941 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.168781996 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.168809891 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.168819904 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.168880939 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.168893099 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.170753956 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.172152042 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.172257900 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.172283888 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.172358990 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.172466993 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.172579050 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.172597885 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.172651052 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.172703028 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.172797918 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.172815084 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.172893047 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.173058033 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.173172951 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.173197985 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.173266888 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.173363924 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.173495054 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.173590899 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.173612118 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.173713923 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.173753023 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.173841000 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.179133892 CEST4434979488.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.179271936 CEST49794443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.194659948 CEST4434979588.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.194962978 CEST49795443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.226403952 CEST49795443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.226429939 CEST4434979588.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.230212927 CEST49795443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.230230093 CEST4434979588.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.230654955 CEST49794443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.230673075 CEST4434979488.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.237123013 CEST49794443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.237145901 CEST4434979488.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.237517118 CEST49791443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.237550020 CEST4434979187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.239866972 CEST49790443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:16.239917994 CEST4434979087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.395189047 CEST4434979488.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.395298958 CEST4434979488.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.395343065 CEST49794443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.395363092 CEST49794443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.396940947 CEST49794443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.396970987 CEST4434979488.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.420218945 CEST4434979588.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.420306921 CEST49795443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.420335054 CEST4434979588.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:16.420416117 CEST49795443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.432787895 CEST49795443192.168.2.488.212.201.198
                                                                                                                                                                                    Oct 29, 2021 17:51:16.432821989 CEST4434979588.212.201.198192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:20.785264969 CEST49796443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:20.785350084 CEST4434979687.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:20.785449982 CEST49796443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:20.848257065 CEST49796443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:20.848278046 CEST4434979687.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:20.934581041 CEST4434979687.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:20.934983015 CEST49796443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:20.937721014 CEST49796443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:20.937735081 CEST4434979687.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:20.943073034 CEST49796443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:20.943109989 CEST4434979687.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:20.946856022 CEST49797443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:20.946923018 CEST4434979787.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:20.947021008 CEST49797443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:20.947932005 CEST49797443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:20.947973967 CEST4434979787.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.020080090 CEST4434979687.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.020198107 CEST49796443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.020234108 CEST4434979687.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.020294905 CEST4434979687.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.020318985 CEST49796443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.020375013 CEST49796443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.022488117 CEST49796443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.022531986 CEST4434979687.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.025563955 CEST49798443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.025619030 CEST4434979887.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.025718927 CEST49798443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.026580095 CEST49798443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.026609898 CEST4434979887.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.035330057 CEST4434979787.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.035466909 CEST49797443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.036009073 CEST49797443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.036031961 CEST4434979787.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.040112019 CEST49797443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.040128946 CEST4434979787.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.112166882 CEST4434979887.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.112409115 CEST49798443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.113662004 CEST49798443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.113679886 CEST4434979887.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.119508982 CEST4434979787.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.119707108 CEST4434979787.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.121391058 CEST49797443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.124162912 CEST49797443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.124201059 CEST4434979787.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.124628067 CEST49798443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.124648094 CEST4434979887.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.126950979 CEST49799443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.127002001 CEST4434979987.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.127120018 CEST49799443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.128032923 CEST49799443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.128057003 CEST4434979987.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.196330070 CEST4434979887.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.196469069 CEST49798443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.196505070 CEST4434979887.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.196530104 CEST4434979887.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.196629047 CEST49798443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.196643114 CEST49798443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.197206974 CEST49798443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.197267056 CEST4434979887.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.199352980 CEST49800443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.199455976 CEST4434980087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.199565887 CEST49800443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.199981928 CEST49800443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.200018883 CEST4434980087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.213851929 CEST4434979987.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.213963985 CEST49799443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.214389086 CEST49799443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.214401960 CEST4434979987.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.217988968 CEST49799443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.218005896 CEST4434979987.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.288194895 CEST4434980087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.288319111 CEST49800443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.288963079 CEST49800443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.288981915 CEST4434980087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.292476892 CEST49800443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.292496920 CEST4434980087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.298106909 CEST4434979987.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.298239946 CEST49799443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.298250914 CEST4434979987.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.298312902 CEST49799443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.298595905 CEST49799443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.298618078 CEST4434979987.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.300107956 CEST49801443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.300143003 CEST4434980187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.300211906 CEST49801443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.300774097 CEST49801443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.300793886 CEST4434980187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.372479916 CEST4434980087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.372595072 CEST49800443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.372621059 CEST4434980087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.372646093 CEST4434980087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.372736931 CEST49800443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.372792006 CEST49800443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.373806000 CEST49800443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.373830080 CEST4434980087.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.392185926 CEST4434980187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.392345905 CEST49801443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.393182993 CEST49801443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.393194914 CEST4434980187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.397862911 CEST49801443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.397878885 CEST4434980187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.475016117 CEST4434980187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.475174904 CEST49801443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.475186110 CEST4434980187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.475214958 CEST4434980187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:21.475285053 CEST49801443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.475353956 CEST49801443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.481211901 CEST49801443192.168.2.487.250.251.119
                                                                                                                                                                                    Oct 29, 2021 17:51:21.481229067 CEST4434980187.250.251.119192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:31.117208004 CEST8049783193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:31.117257118 CEST8049782193.109.247.229192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:31.117348909 CEST4978380192.168.2.4193.109.247.229
                                                                                                                                                                                    Oct 29, 2021 17:51:31.117381096 CEST4978280192.168.2.4193.109.247.229

                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                    Oct 29, 2021 17:51:13.816387892 CEST5585453192.168.2.48.8.8.8
                                                                                                                                                                                    Oct 29, 2021 17:51:14.822130919 CEST5585453192.168.2.48.8.8.8
                                                                                                                                                                                    Oct 29, 2021 17:51:14.890239954 CEST53558548.8.8.8192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:14.924814939 CEST53558548.8.8.8192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.343087912 CEST6315353192.168.2.48.8.8.8
                                                                                                                                                                                    Oct 29, 2021 17:51:15.362226963 CEST53631538.8.8.8192.168.2.4
                                                                                                                                                                                    Oct 29, 2021 17:51:15.362785101 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                                                    Oct 29, 2021 17:51:15.381855965 CEST53529918.8.8.8192.168.2.4

                                                                                                                                                                                    ICMP Packets

                                                                                                                                                                                    TimestampSource IPDest IPChecksumCodeType
                                                                                                                                                                                    Oct 29, 2021 17:51:14.924932003 CEST192.168.2.48.8.8.8d00d(Port unreachable)Destination Unreachable

                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                    Oct 29, 2021 17:51:13.816387892 CEST192.168.2.48.8.8.80xc22cStandard query (0)www.all-bearings.narod.ruA (IP address)IN (0x0001)
                                                                                                                                                                                    Oct 29, 2021 17:51:14.822130919 CEST192.168.2.48.8.8.80xc22cStandard query (0)www.all-bearings.narod.ruA (IP address)IN (0x0001)
                                                                                                                                                                                    Oct 29, 2021 17:51:15.343087912 CEST192.168.2.48.8.8.80x6b57Standard query (0)counter.yadro.ruA (IP address)IN (0x0001)
                                                                                                                                                                                    Oct 29, 2021 17:51:15.362785101 CEST192.168.2.48.8.8.80xe7f9Standard query (0)mc.yandex.ruA (IP address)IN (0x0001)

                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                    Oct 29, 2021 17:51:14.890239954 CEST8.8.8.8192.168.2.40xc22cNo error (0)www.all-bearings.narod.ru193.109.247.229A (IP address)IN (0x0001)
                                                                                                                                                                                    Oct 29, 2021 17:51:14.924814939 CEST8.8.8.8192.168.2.40xc22cNo error (0)www.all-bearings.narod.ru193.109.247.229A (IP address)IN (0x0001)
                                                                                                                                                                                    Oct 29, 2021 17:51:15.347728014 CEST8.8.8.8192.168.2.40x2fe6No error (0)www-google-analytics.l.google.com142.250.203.110A (IP address)IN (0x0001)
                                                                                                                                                                                    Oct 29, 2021 17:51:15.362226963 CEST8.8.8.8192.168.2.40x6b57No error (0)counter.yadro.ru88.212.201.198A (IP address)IN (0x0001)
                                                                                                                                                                                    Oct 29, 2021 17:51:15.362226963 CEST8.8.8.8192.168.2.40x6b57No error (0)counter.yadro.ru88.212.201.210A (IP address)IN (0x0001)
                                                                                                                                                                                    Oct 29, 2021 17:51:15.362226963 CEST8.8.8.8192.168.2.40x6b57No error (0)counter.yadro.ru88.212.201.216A (IP address)IN (0x0001)
                                                                                                                                                                                    Oct 29, 2021 17:51:15.362226963 CEST8.8.8.8192.168.2.40x6b57No error (0)counter.yadro.ru88.212.201.204A (IP address)IN (0x0001)
                                                                                                                                                                                    Oct 29, 2021 17:51:15.381855965 CEST8.8.8.8192.168.2.40xe7f9No error (0)mc.yandex.ru87.250.251.119A (IP address)IN (0x0001)
                                                                                                                                                                                    Oct 29, 2021 17:51:15.381855965 CEST8.8.8.8192.168.2.40xe7f9No error (0)mc.yandex.ru87.250.250.119A (IP address)IN (0x0001)
                                                                                                                                                                                    Oct 29, 2021 17:51:15.381855965 CEST8.8.8.8192.168.2.40xe7f9No error (0)mc.yandex.ru77.88.21.119A (IP address)IN (0x0001)
                                                                                                                                                                                    Oct 29, 2021 17:51:15.381855965 CEST8.8.8.8192.168.2.40xe7f9No error (0)mc.yandex.ru93.158.134.119A (IP address)IN (0x0001)

                                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                                    • www.all-bearings.narod.ru
                                                                                                                                                                                      • mc.yandex.ru
                                                                                                                                                                                      • counter.yadro.ru

                                                                                                                                                                                    HTTP Packets

                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    0192.168.2.44979087.250.251.119443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    1192.168.2.44979288.212.201.198443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    10192.168.2.44980087.250.251.119443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    11192.168.2.44980187.250.251.119443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    12192.168.2.449782193.109.247.22980C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    Oct 29, 2021 17:51:14.979448080 CEST1390OUTGET /secondpage.html HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: www.all-bearings.narod.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Oct 29, 2021 17:51:15.045492887 CEST1391INHTTP/1.1 404 Not Found
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:16 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                                    Keep-Alive: timeout=15
                                                                                                                                                                                    ETag: W/"611e66ad-1ad5"
                                                                                                                                                                                    Content-Encoding: gzip
                                                                                                                                                                                    Data Raw: 61 30 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 9d 59 fb 6f db 38 12 fe 3d 7f 05 ab e0 60 bb 89 25 bf 92 a6 7e 15 6d da c5 2e 90 6e 7b bb e9 1d 8a a2 28 68 89 b6 d8 48 a2 4a 52 71 bc d9 fc ef 37 43 ea 65 5b 4e ba 67 a1 91 c4 c7 70 e6 9b 99 8f 43 75 fa ec ed 87 cb eb cf 1f df 91 50 c7 d1 fc 68 5a dc 18 0d e6 47 04 7e d3 98 69 0a bd 3a ed b2 1f 19 bf 9d 39 be 48 34 4b 74 57 6f 52 e6 90 fc 6d e6 68 76 a7 3d 9c 3e 21 7e 48 a5 62 7a 96 e9 65 f7 c2 21 5e 2e 49 73 1d b1 f9 af d7 d7 1f c9 a8 37 22 7f 30 25 32 e9 33 92 08 4d 96 22 4b 82 a9 67 87 1c 4d 95 de 44 8c e0 0a b9 60 5f 29 67 7e b4 10 c1 86 dc c7 54 ae 78 32 26 bd 09 49 69 10 f0 64 65 9e 17 d4 bf 59 49 94 33 26 c7 cb e5 72 02 42 13 3d 26 fd 41 7a e7 0d e0 0f 69 fd 87 c9 80 26 b4 05 2a 8a 48 48 18 77 7e 81 d7 e4 c1 8a a6 e4 be e8 18 0e e8 c0 07 19 b8 7a 37 60 be 90 54 73 01 ab 82 7c 26 23 9e b0 72 d2 38 14 b7 4c 92 fb bd a1 89 30 a3 74 70 4a 78 92 66 fa 94 28 16 31 1f ee 38 94 4a 06 eb 55 3a 92 a7 95 74 fd 88 51 58 c9 dc c6 64 21 74 68 5a ad 0f c8 fd 9a 07 3a 1c 93 17 c3 b3 f4 6e 42 0a 9c 68 a6 05 0c f3 9e 77 f3 1f 7a 97 49 fb fc dc 3b 3a b6 ef e4 3e 64 7c 15 82 36 67 66 7a 1d cf 4c 46 6d cf 55 1e 8f 57 1e 93 d2 03 ff 15 52 10 0a 77 c5 97 1d 22 59 ca a8 ee de 91 1e f8 17 24 3c 1c 1d 47 62 25 c0 c6 48 50 10 1b b1 a5 ae b4 aa 7b 6f 70 9e e2 ac 1e 36 e6 36 8c 86 a8 43 a1 d1 e0 45 4d 1e a0 16 70 95 46 74 03 10 44 c2 bf a9 c7 01 79 89 f3 0e 0b 21 e8 2b 50 68 3d 26 21 0f 02 96 40 4b a6 d1 88 dc 5f d6 e3 1c bc 8c 8e e9 be 84 df 2e 1a 18 5d 8d 90 a0 7a 6e 9a ac 3a 20 aa 6b e1 20 3e c8 01 70 ed 0d bd a5 b8 66 5d 1f 9c af 59 09 8d 44 0d 2b 6c ea 78 3c 62 ea 99 19 d5 37 de ca e3 a8 8f b1 7e 7e 20 8c 5e f8 3d 36 f8 49 53 a8 94 62 bd 6b 0b 7a 90 f4 ad 6f ab 70 aa ff 20 9c aa 8e 98 f2 a4 d6 71 8c ef e4 be 34 e0 ac 67 f4 3f 33 66 20 32 66 bc 59 63 3b 64 72 6f f6 cf 71 65 eb 1f 1a f1 15 00 55 a1 0a 7a 0b 69 e8 a3 cc a9 0b c4 62 d4 8c c5 0b b6 18 05 83 72 a2 2f 02 56 11 4b df 2a 36 b0 8a 95 cb db b4 28 a2 e9 fc fc 27 92 64 07 40 5c 2f a5 2b 06 8c 67 08 af 54 75 84 aa f6 0e a9 8a d7 de 54 9a 13 8e 96 34 51 4b 21 63 50 20 4d 99 f4 a9 62 4d 76 1a 70 4d 9c 35 a3 3b 7a b9 45 1a 26 fa c8 85 f5 75 7d 72 38 dc 62 e0 1a c7 22 e0 4d 06 0c 86 78 95 62 4a b6 6a 62 82 fe b0 8c fc dd f1 59 54 4d 19 96 91 0f 19 8a 6a d7 37 82 88 2b dd 35 3b 48 49 c1 c7 0a 08 d3 0f c9 3d e6 9f 79 5c 0b 19 94 84 39 7c d1 db 16 42 b6 5c 3d 30 bd c8 11 dd ed a6 1d e6 58 80 4c 06 16 43 12 12 25 22 1e 90 63 7f 89 57 d1 d5 95 34 e0 99 1a 5b f1 40 44 9a fb 34 2a 82 39 06 3e 8a 8c a3 ad 8a 6a 11 3f 1a 20 a5 2e 03 94 56 a0 7d 36 a2 41 b9 71 a9 90 06 48 75 3d a3 13 fe b3 3b 63 cd 52 23 15 37 1e 6b 52 93 0d 43 bc c8 33 1e a7 90 62 34 d1 cd e6 6c d1 0a bb c0 6b 2f 25 16 99 d6 22 b1 59 51 6c 17 a0 7a 26 15 ea 9e 0a 6e d2 79 17 d7 03 40 d5 a8 fc 96 2b be 30 d8 3d 1f 2f b9 04 ff fb 21 8f 82 13 ac 47 48 1d ce c2 bc 5e dd 9c 9f 21 b3 a5 10 ba d8 33 0d 99 d9 86 1a 9d f5 cf 2a d2 ce f1 d1 22 dd 42 32 58 e0 85 1e ce c5 81 d3 9a b3 71 30 72 5f fe 6b 67 60 38 22 f7 5b f9 d9 cf 09 aa c6 fd fd 03 7c 77 76 8e d7 8e 40 cc a8 c6 fd b8 39 89 76 a6 46 1c 66 d7 97 3e 90 fe 17 14 af 9d f9 30 19 08 6c 77 cc 7e b5 d5 b0 34 4e 3d 58 72 d5 ab b3 83 4e 9d 7a c6 30 a8 33 3d 5b e8 4e b1 90 c3 b2 d3 97 3c d5 f5 ba f3 3b bd a5 b6 d5 c1 2a f6 16 aa af 6f 2b fa 83 cc ec
                                                                                                                                                                                    Data Ascii: a01Yo8=`%~m.n{(hHJRq7Ce[NgpCuPhZG~i:9H4KtWoRmhv=>!~Hbze!^.Is7"0%23M"KgMD`_)g~Tx2&IideYI3&rB=&Azi&*HHw~z7`Ts|&#r8L0tpJxf(18JU:tQXd!thZ:nBhwzI;:>d|6gfzLFmUWRw"Y$<Gb%HP{op66CEMpFtDy!+Ph=&!@K_.]zn: k >pf]YD+lx<b7~~ ^=6ISbkzop q4g?3f 2fYc;droqeUzibr/VK*6('d@\/+gTuT4QK!cP MbMvpM5;zE&u}r8b"MxbJjbYTMj7+5;HI=y\9|B\=0XLC%"cW4[@D4*9>j? .V}6AqHu=;cR#7kRC3b4lk/%"YQlz&ny@+0=/!GH^!3*"B2Xq0r_kg`8"[|wv@9vFf>0lw~4N=XrNz03=[N<;*o+
                                                                                                                                                                                    Oct 29, 2021 17:51:15.045532942 CEST1393INData Raw: ed ef bf c9 97 af 13 e8 c0 37 37 cd 54 d8 fe d2 fa 06 b5 ef 6b df 87 4c d0 ad 53 d2 fa f4 ba 3b ec f5 a0 8c 38 eb 77 fb ad af 9d a6 e1 6f 05 52 dd ef 34 66 38 03 8d 3e 30 f0 75 04 f1 7e c5 93 1b 26 61 a4 96 19 6b 18 07 5b 82 7f f3 11 36 8b 5b ce
                                                                                                                                                                                    Data Ascii: 77TkLS;8woR4f8>0u~&ak[6[2K|!G[V,-JE-kw3a.bc[;L'U^gbCnA[dV[J07B+<wx]9!-w%*b]h=XjMJT9/`[0w(\(
                                                                                                                                                                                    Oct 29, 2021 17:51:15.045563936 CEST1393INData Raw: 11 07 89 ea 2e 2c dd 36 48 cd 87 3f 22 18 4f 08 7a cd 35 d6 ca 28 f4 f8 99 91 fb 8d 25 0d a0 db 71 ff 07 4c bf b2 28 7d 02 21 38 70 3d 86 cf eb 7f 3f 8e 8e 41 e5 f0 f6 74 0d 29 bc 85 c4 cf eb 7e c5 56 34 02 e2 c2 2c 35 45 d6 3f 09 78 26 63 e5 e1
                                                                                                                                                                                    Data Ascii: .,6H?"Oz5(%qL(}!8p=?At)~V4,5E?x&cpGN?[o<D>f++IN0
                                                                                                                                                                                    Oct 29, 2021 17:51:15.785819054 CEST1457OUTGET /.s/img/err/404-header-line.gif HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/secondpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: www.all-bearings.narod.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Oct 29, 2021 17:51:15.851555109 CEST1458INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:17 GMT
                                                                                                                                                                                    Content-Type: image/gif
                                                                                                                                                                                    Content-Length: 1161
                                                                                                                                                                                    Last-Modified: Mon, 31 Jul 2017 10:32:10 GMT
                                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                                    Keep-Alive: timeout=15
                                                                                                                                                                                    ETag: "597f072a-489"
                                                                                                                                                                                    Expires: Thu, 18 Nov 2021 15:51:17 GMT
                                                                                                                                                                                    Cache-Control: max-age=1728000
                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                    Oct 29, 2021 17:51:15.851598978 CEST1459INData Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 ac dd ef 00 00 00 21 ff 0b 58 4d 50 20 44 61 74 61 58 4d 50 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39
                                                                                                                                                                                    Data Ascii: GIF89a!XMP DataXMP<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/
                                                                                                                                                                                    Oct 29, 2021 17:51:15.859746933 CEST1461OUTGET /.s/img/err/404-logo.png HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/secondpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: www.all-bearings.narod.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Oct 29, 2021 17:51:15.925540924 CEST1462INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:17 GMT
                                                                                                                                                                                    Content-Type: image/png
                                                                                                                                                                                    Content-Length: 2152
                                                                                                                                                                                    Last-Modified: Mon, 31 Jul 2017 10:32:10 GMT
                                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                                    Keep-Alive: timeout=15
                                                                                                                                                                                    ETag: "597f072a-868"
                                                                                                                                                                                    Expires: Thu, 18 Nov 2021 15:51:17 GMT
                                                                                                                                                                                    Cache-Control: max-age=1728000
                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                    Oct 29, 2021 17:51:15.925595999 CEST1463INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 2b 00 00 00 1b 08 06 00 00 00 e5 27 76 6d 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 03 64 69 54 58 74 58 4d 4c 3a
                                                                                                                                                                                    Data Ascii: PNGIHDR+'vmtEXtSoftwareAdobe ImageReadyqe<diTXtXML:com.adobe.xmp<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/0
                                                                                                                                                                                    Oct 29, 2021 17:51:15.925632954 CEST1464INData Raw: 43 70 5c f9 f8 de c0 58 26 fd 3d 00 79 52 fe 0a 65 0b 33 fb 8d 70 cc 08 3d bf a3 f9 3c aa 0b cc 62 47 42 e9 74 31 bf 71 08 65 23 cb 1f 0e 0c 7e 5c cb 19 7d 61 ac f2 ae 51 a4 40 7d e9 5a fe 68 5e ee 94 5f 4f d7 0c 56 ca 6f 07 49 f9 cf 7d 6e f5 10
                                                                                                                                                                                    Data Ascii: Cp\X&=yRe3p=<bGBt1qe#~\}aQ@}Zh^_OVoI}nWt{s(cz[iB|mIY/:B>n_`cx;[$;=/YbN@YvUlu5=RQ61qxinfp5($>>!p\
                                                                                                                                                                                    Oct 29, 2021 17:51:15.932754993 CEST1466OUTGET /.s/img/err/404.png HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/secondpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: www.all-bearings.narod.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Oct 29, 2021 17:51:15.998469114 CEST1469INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:17 GMT
                                                                                                                                                                                    Content-Type: image/png
                                                                                                                                                                                    Content-Length: 4451
                                                                                                                                                                                    Last-Modified: Mon, 31 Jul 2017 10:32:10 GMT
                                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                                    Keep-Alive: timeout=15
                                                                                                                                                                                    ETag: "597f072a-1163"
                                                                                                                                                                                    Expires: Thu, 18 Nov 2021 15:51:17 GMT
                                                                                                                                                                                    Cache-Control: max-age=1728000
                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                    Oct 29, 2021 17:51:15.998507023 CEST1470INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 9b 00 00 00 42 08 06 00 00 00 40 50 a4 6b 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 03 64 69 54 58 74 58 4d 4c 3a
                                                                                                                                                                                    Data Ascii: PNGIHDRB@PktEXtSoftwareAdobe ImageReadyqe<diTXtXML:com.adobe.xmp<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/0
                                                                                                                                                                                    Oct 29, 2021 17:51:15.998537064 CEST1472INData Raw: 7a 39 65 5f 9f 8d 87 24 30 07 24 68 fb 21 9a e0 f8 37 fe 86 cf fe fb 7e 0a 6d 76 f3 9d 79 ad 18 06 fb 84 84 ee 59 d5 82 49 3e 89 c0 7a 9b 52 94 f1 a6 08 c2 56 27 8d d2 21 a6 e4 65 1e 4e 88 76 0d 82 61 dc 9a b1 af 48 d0 de 5c cf 8e 42 20 bc 88 bf
                                                                                                                                                                                    Data Ascii: z9e_$0$h!7~mvyYI>zRV'!eNvaH\B F>#ksBF[Bj*pJyu1G3Y=A{Z5kd"~}9c {Y_iqx?]bRH/lZjY"8_iv]}~;m`:<7QgSJ*z\w$
                                                                                                                                                                                    Oct 29, 2021 17:51:15.998560905 CEST1473INData Raw: be 9f 29 66 2b 2c 6f 56 f1 46 11 7c ec 19 e1 8e 88 a0 43 22 30 2a 75 a5 a3 f1 92 76 eb 56 cb c8 eb 95 86 3e 92 fa aa b0 1d 85 e6 cd 2a 9a ad c7 39 b7 6f b4 46 d0 aa f6 b2 20 3b 23 cd 66 e7 1c df ca da 1b 2d 34 6f 96 15 b6 0e 0b 23 dd fe 8f e2 df
                                                                                                                                                                                    Data Ascii: )f+,oVF|C"0*uvV>*9oF ;#f-4o#+27xo9ss T/_cyv'kV9Wh%|.Xu}Vl,$|M{>`Fu1C2a6*&Darkf5\Zy?A\}
                                                                                                                                                                                    Oct 29, 2021 17:51:15.998579979 CEST1473INData Raw: a3 69 44 fb db 25 03 1a 2e 92 36 26 ee bb b1 b8 7f b4 2b 2e c4 48 f7 4e dc 1f 7a 82 5b 94 27 0b b1 b5 e7 5b 16 ee 17 3d 0a b1 1a 2b 78 d5 c3 9b 1c 35 5b fd 7d 42 ca 4c 78 c8 70 4d e3 b8 1e 92 b0 1d fd 64 db 8a 09 83 78 ec f4 72 06 5c 72 92 c2 43
                                                                                                                                                                                    Data Ascii: iD%.6&+.HNz['[=+x5[}BLxpMdxr\rCE;O^:(Ot$uP|9lM_3SF"&]YM'18j|KYEe;,v,2Nt&AbSdN~s=~wOv
                                                                                                                                                                                    Oct 29, 2021 17:51:16.002221107 CEST1477OUTGET /.s/img/err/404-header-line.gif HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/firstpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: www.all-bearings.narod.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Oct 29, 2021 17:51:16.067758083 CEST1493INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:17 GMT
                                                                                                                                                                                    Content-Type: image/gif
                                                                                                                                                                                    Content-Length: 1161
                                                                                                                                                                                    Last-Modified: Mon, 31 Jul 2017 10:32:10 GMT
                                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                                    Keep-Alive: timeout=15
                                                                                                                                                                                    ETag: "597f072a-489"
                                                                                                                                                                                    Expires: Thu, 18 Nov 2021 15:51:17 GMT
                                                                                                                                                                                    Cache-Control: max-age=1728000
                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                    Oct 29, 2021 17:51:16.067806005 CEST1495INData Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 ac dd ef 00 00 00 21 ff 0b 58 4d 50 20 44 61 74 61 58 4d 50 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39
                                                                                                                                                                                    Data Ascii: GIF89a!XMP DataXMP<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/
                                                                                                                                                                                    Oct 29, 2021 17:51:16.070837975 CEST1498OUTGET /.s/img/err/404-arrow.png HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/firstpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: www.all-bearings.narod.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Oct 29, 2021 17:51:16.136607885 CEST1664INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:17 GMT
                                                                                                                                                                                    Content-Type: image/png
                                                                                                                                                                                    Content-Length: 1169
                                                                                                                                                                                    Last-Modified: Mon, 31 Jul 2017 10:32:10 GMT
                                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                                    Keep-Alive: timeout=15
                                                                                                                                                                                    ETag: "597f072a-491"
                                                                                                                                                                                    Expires: Thu, 18 Nov 2021 15:51:17 GMT
                                                                                                                                                                                    Cache-Control: max-age=1728000
                                                                                                                                                                                    Accept-Ranges: bytes


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    13192.168.2.449783193.109.247.22980C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    Oct 29, 2021 17:51:15.015364885 CEST1390OUTGET /firstpage.html HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: www.all-bearings.narod.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Oct 29, 2021 17:51:15.082951069 CEST1395INHTTP/1.1 404 Not Found
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:16 GMT
                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                                    Keep-Alive: timeout=15
                                                                                                                                                                                    ETag: W/"611e66ad-1ad5"
                                                                                                                                                                                    Content-Encoding: gzip
                                                                                                                                                                                    Data Raw: 61 30 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 9d 59 fb 6f db 38 12 fe 3d 7f 05 ab e0 60 bb 89 25 bf 92 a6 7e 15 6d da c5 2e 90 6e 7b bb e9 1d 8a a2 28 68 89 b6 d8 48 a2 4a 52 71 bc d9 fc ef 37 43 ea 65 5b 4e ba 67 a1 91 c4 c7 70 e6 9b 99 8f 43 75 fa ec ed 87 cb eb cf 1f df 91 50 c7 d1 fc 68 5a dc 18 0d e6 47 04 7e d3 98 69 0a bd 3a ed b2 1f 19 bf 9d 39 be 48 34 4b 74 57 6f 52 e6 90 fc 6d e6 68 76 a7 3d 9c 3e 21 7e 48 a5 62 7a 96 e9 65 f7 c2 21 5e 2e 49 73 1d b1 f9 af d7 d7 1f c9 a8 37 22 7f 30 25 32 e9 33 92 08 4d 96 22 4b 82 a9 67 87 1c 4d 95 de 44 8c e0 0a b9 60 5f 29 67 7e b4 10 c1 86 dc c7 54 ae 78 32 26 bd 09 49 69 10 f0 64 65 9e 17 d4 bf 59 49 94 33 26 c7 cb e5 72 02 42 13 3d 26 fd 41 7a e7 0d e0 0f 69 fd 87 c9 80 26 b4 05 2a 8a 48 48 18 77 7e 81 d7 e4 c1 8a a6 e4 be e8 18 0e e8 c0 07 19 b8 7a 37 60 be 90 54 73 01 ab 82 7c 26 23 9e b0 72 d2 38 14 b7 4c 92 fb bd a1 89 30 a3 74 70 4a 78 92 66 fa 94 28 16 31 1f ee 38 94 4a 06 eb 55 3a 92 a7 95 74 fd 88 51 58 c9 dc c6 64 21 74 68 5a ad 0f c8 fd 9a 07 3a 1c 93 17 c3 b3 f4 6e 42 0a 9c 68 a6 05 0c f3 9e 77 f3 1f 7a 97 49 fb fc dc 3b 3a b6 ef e4 3e 64 7c 15 82 36 67 66 7a 1d cf 4c 46 6d cf 55 1e 8f 57 1e 93 d2 03 ff 15 52 10 0a 77 c5 97 1d 22 59 ca a8 ee de 91 1e f8 17 24 3c 1c 1d 47 62 25 c0 c6 48 50 10 1b b1 a5 ae b4 aa 7b 6f 70 9e e2 ac 1e 36 e6 36 8c 86 a8 43 a1 d1 e0 45 4d 1e a0 16 70 95 46 74 03 10 44 c2 bf a9 c7 01 79 89 f3 0e 0b 21 e8 2b 50 68 3d 26 21 0f 02 96 40 4b a6 d1 88 dc 5f d6 e3 1c bc 8c 8e e9 be 84 df 2e 1a 18 5d 8d 90 a0 7a 6e 9a ac 3a 20 aa 6b e1 20 3e c8 01 70 ed 0d bd a5 b8 66 5d 1f 9c af 59 09 8d 44 0d 2b 6c ea 78 3c 62 ea 99 19 d5 37 de ca e3 a8 8f b1 7e 7e 20 8c 5e f8 3d 36 f8 49 53 a8 94 62 bd 6b 0b 7a 90 f4 ad 6f ab 70 aa ff 20 9c aa 8e 98 f2 a4 d6 71 8c ef e4 be 34 e0 ac 67 f4 3f 33 66 20 32 66 bc 59 63 3b 64 72 6f f6 cf 71 65 eb 1f 1a f1 15 00 55 a1 0a 7a 0b 69 e8 a3 cc a9 0b c4 62 d4 8c c5 0b b6 18 05 83 72 a2 2f 02 56 11 4b df 2a 36 b0 8a 95 cb db b4 28 a2 e9 fc fc 27 92 64 07 40 5c 2f a5 2b 06 8c 67 08 af 54 75 84 aa f6 0e a9 8a d7 de 54 9a 13 8e 96 34 51 4b 21 63 50 20 4d 99 f4 a9 62 4d 76 1a 70 4d 9c 35 a3 3b 7a b9 45 1a 26 fa c8 85 f5 75 7d 72 38 dc 62 e0 1a c7 22 e0 4d 06 0c 86 78 95 62 4a b6 6a 62 82 fe b0 8c fc dd f1 59 54 4d 19 96 91 0f 19 8a 6a d7 37 82 88 2b dd 35 3b 48 49 c1 c7 0a 08 d3 0f c9 3d e6 9f 79 5c 0b 19 94 84 39 7c d1 db 16 42 b6 5c 3d 30 bd c8 11 dd ed a6 1d e6 58 80 4c 06 16 43 12 12 25 22 1e 90 63 7f 89 57 d1 d5 95 34 e0 99 1a 5b f1 40 44 9a fb 34 2a 82 39 06 3e 8a 8c a3 ad 8a 6a 11 3f 1a 20 a5 2e 03 94 56 a0 7d 36 a2 41 b9 71 a9 90 06 48 75 3d a3 13 fe b3 3b 63 cd 52 23 15 37 1e 6b 52 93 0d 43 bc c8 33 1e a7 90 62 34 d1 cd e6 6c d1 0a bb c0 6b 2f 25 16 99 d6 22 b1 59 51 6c 17 a0 7a 26 15 ea 9e 0a 6e d2 79 17 d7 03 40 d5 a8 fc 96 2b be 30 d8 3d 1f 2f b9 04 ff fb 21 8f 82 13 ac 47 48 1d ce c2 bc 5e dd 9c 9f 21 b3 a5 10 ba d8 33 0d 99 d9 86 1a 9d f5 cf 2a d2 ce f1 d1 22 dd 42 32 58 e0 85 1e ce c5 81 d3 9a b3 71 30 72 5f fe 6b 67 60 38 22 f7 5b f9 d9 cf 09 aa c6 fd fd 03 7c 77 76 8e d7 8e 40 cc a8 c6 fd b8 39 89 76 a6 46 1c 66 d7 97 3e 90 fe 17 14 af 9d f9 30 19 08 6c 77 cc 7e b5 d5 b0 34 4e 3d 58 72 d5 ab b3 83 4e 9d 7a c6 30 a8 33 3d 5b e8 4e b1 90 c3 b2 d3 97 3c d5 f5 ba f3 3b bd a5 b6 d5 c1 2a f6 16 aa af 6f 2b fa 83 cc ec
                                                                                                                                                                                    Data Ascii: a01Yo8=`%~m.n{(hHJRq7Ce[NgpCuPhZG~i:9H4KtWoRmhv=>!~Hbze!^.Is7"0%23M"KgMD`_)g~Tx2&IideYI3&rB=&Azi&*HHw~z7`Ts|&#r8L0tpJxf(18JU:tQXd!thZ:nBhwzI;:>d|6gfzLFmUWRw"Y$<Gb%HP{op66CEMpFtDy!+Ph=&!@K_.]zn: k >pf]YD+lx<b7~~ ^=6ISbkzop q4g?3f 2fYc;droqeUzibr/VK*6('d@\/+gTuT4QK!cP MbMvpM5;zE&u}r8b"MxbJjbYTMj7+5;HI=y\9|B\=0XLC%"cW4[@D4*9>j? .V}6AqHu=;cR#7kRC3b4lk/%"YQlz&ny@+0=/!GH^!3*"B2Xq0r_kg`8"[|wv@9vFf>0lw~4N=XrNz03=[N<;*o+
                                                                                                                                                                                    Oct 29, 2021 17:51:15.082993984 CEST1396INData Raw: ed ef bf c9 97 af 13 e8 c0 37 37 cd 54 d8 fe d2 fa 06 b5 ef 6b df 87 4c d0 ad 53 d2 fa f4 ba 3b ec f5 a0 8c 38 eb 77 fb ad af 9d a6 e1 6f 05 52 dd ef 34 66 38 03 8d 3e 30 f0 75 04 f1 7e c5 93 1b 26 61 a4 96 19 6b 18 07 5b 82 7f f3 11 36 8b 5b ce
                                                                                                                                                                                    Data Ascii: 77TkLS;8woR4f8>0u~&ak[6[2K|!G[V,-JE-kw3a.bc[;L'U^gbCnA[dV[J07B+<wx]9!-w%*b]h=XjMJT9/`[0w(\(
                                                                                                                                                                                    Oct 29, 2021 17:51:15.083020926 CEST1396INData Raw: 11 07 89 ea 2e 2c dd 36 48 cd 87 3f 22 18 4f 08 7a cd 35 d6 ca 28 f4 f8 99 91 fb 8d 25 0d a0 db 71 ff 07 4c bf b2 28 7d 02 21 38 70 3d 86 cf eb 7f 3f 8e 8e 41 e5 f0 f6 74 0d 29 bc 85 c4 cf eb 7e c5 56 34 02 e2 c2 2c 35 45 d6 3f 09 78 26 63 e5 e1
                                                                                                                                                                                    Data Ascii: .,6H?"Oz5(%qL(}!8p=?At)~V4,5E?x&cpGN?[o<D>f++IN0
                                                                                                                                                                                    Oct 29, 2021 17:51:15.785171032 CEST1457OUTGET /.s/img/err/button.png HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/secondpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: www.all-bearings.narod.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Oct 29, 2021 17:51:15.852315903 CEST1459INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:17 GMT
                                                                                                                                                                                    Content-Type: image/png
                                                                                                                                                                                    Content-Length: 1036
                                                                                                                                                                                    Last-Modified: Mon, 31 Jul 2017 10:32:10 GMT
                                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                                    Keep-Alive: timeout=15
                                                                                                                                                                                    ETag: "597f072a-40c"
                                                                                                                                                                                    Expires: Thu, 18 Nov 2021 15:51:17 GMT
                                                                                                                                                                                    Cache-Control: max-age=1728000
                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                    Oct 29, 2021 17:51:15.852349997 CEST1460INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 14 08 02 00 00 00 c3 6c c0 f6 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 03 64 69 54 58 74 58 4d 4c 3a
                                                                                                                                                                                    Data Ascii: PNGIHDRltEXtSoftwareAdobe ImageReadyqe<diTXtXML:com.adobe.xmp<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/0
                                                                                                                                                                                    Oct 29, 2021 17:51:15.858786106 CEST1461OUTGET /.s/img/err/404-arrow.png HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/secondpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: www.all-bearings.narod.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Oct 29, 2021 17:51:15.925990105 CEST1464INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:17 GMT
                                                                                                                                                                                    Content-Type: image/png
                                                                                                                                                                                    Content-Length: 1169
                                                                                                                                                                                    Last-Modified: Mon, 31 Jul 2017 10:32:10 GMT
                                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                                    Keep-Alive: timeout=15
                                                                                                                                                                                    ETag: "597f072a-491"
                                                                                                                                                                                    Expires: Thu, 18 Nov 2021 15:51:17 GMT
                                                                                                                                                                                    Cache-Control: max-age=1728000
                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                    Oct 29, 2021 17:51:15.926028013 CEST1466INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 06 00 00 00 09 08 06 00 00 00 11 9a 5d 9d 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 03 64 69 54 58 74 58 4d 4c 3a
                                                                                                                                                                                    Data Ascii: PNGIHDR]tEXtSoftwareAdobe ImageReadyqe<diTXtXML:com.adobe.xmp<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/0
                                                                                                                                                                                    Oct 29, 2021 17:51:15.933043003 CEST1467OUTGET /.s/img/err/button.png HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/firstpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: www.all-bearings.narod.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Oct 29, 2021 17:51:16.000112057 CEST1474INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:17 GMT
                                                                                                                                                                                    Content-Type: image/png
                                                                                                                                                                                    Content-Length: 1036
                                                                                                                                                                                    Last-Modified: Mon, 31 Jul 2017 10:32:10 GMT
                                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                                    Keep-Alive: timeout=15
                                                                                                                                                                                    ETag: "597f072a-40c"
                                                                                                                                                                                    Expires: Thu, 18 Nov 2021 15:51:17 GMT
                                                                                                                                                                                    Cache-Control: max-age=1728000
                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                    Oct 29, 2021 17:51:16.000145912 CEST1476INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 14 08 02 00 00 00 c3 6c c0 f6 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 03 64 69 54 58 74 58 4d 4c 3a
                                                                                                                                                                                    Data Ascii: PNGIHDRltEXtSoftwareAdobe ImageReadyqe<diTXtXML:com.adobe.xmp<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/0
                                                                                                                                                                                    Oct 29, 2021 17:51:16.003344059 CEST1478OUTGET /.s/img/err/404-logo.png HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/firstpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: www.all-bearings.narod.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Oct 29, 2021 17:51:16.070466995 CEST1495INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:17 GMT
                                                                                                                                                                                    Content-Type: image/png
                                                                                                                                                                                    Content-Length: 2152
                                                                                                                                                                                    Last-Modified: Mon, 31 Jul 2017 10:32:10 GMT
                                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                                    Keep-Alive: timeout=15
                                                                                                                                                                                    ETag: "597f072a-868"
                                                                                                                                                                                    Expires: Thu, 18 Nov 2021 15:51:17 GMT
                                                                                                                                                                                    Cache-Control: max-age=1728000
                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                    Oct 29, 2021 17:51:16.070512056 CEST1497INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 2b 00 00 00 1b 08 06 00 00 00 e5 27 76 6d 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 03 64 69 54 58 74 58 4d 4c 3a
                                                                                                                                                                                    Data Ascii: PNGIHDR+'vmtEXtSoftwareAdobe ImageReadyqe<diTXtXML:com.adobe.xmp<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/0
                                                                                                                                                                                    Oct 29, 2021 17:51:16.070545912 CEST1498INData Raw: 43 70 5c f9 f8 de c0 58 26 fd 3d 00 79 52 fe 0a 65 0b 33 fb 8d 70 cc 08 3d bf a3 f9 3c aa 0b cc 62 47 42 e9 74 31 bf 71 08 65 23 cb 1f 0e 0c 7e 5c cb 19 7d 61 ac f2 ae 51 a4 40 7d e9 5a fe 68 5e ee 94 5f 4f d7 0c 56 ca 6f 07 49 f9 cf 7d 6e f5 10
                                                                                                                                                                                    Data Ascii: Cp\X&=yRe3p=<bGBt1qe#~\}aQ@}Zh^_OVoI}nWt{s(cz[iB|mIY/:B>n_`cx;[$;=/YbN@YvUlu5=RQ61qxinfp5($>>!p\
                                                                                                                                                                                    Oct 29, 2021 17:51:16.074219942 CEST1499OUTGET /.s/img/err/404.png HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/firstpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: www.all-bearings.narod.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Oct 29, 2021 17:51:16.141700029 CEST1666INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:17 GMT
                                                                                                                                                                                    Content-Type: image/png
                                                                                                                                                                                    Content-Length: 4451
                                                                                                                                                                                    Last-Modified: Mon, 31 Jul 2017 10:32:10 GMT
                                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                                    Keep-Alive: timeout=15
                                                                                                                                                                                    ETag: "597f072a-1163"
                                                                                                                                                                                    Expires: Thu, 18 Nov 2021 15:51:17 GMT
                                                                                                                                                                                    Cache-Control: max-age=1728000
                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                    Oct 29, 2021 17:51:16.141743898 CEST1667INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 9b 00 00 00 42 08 06 00 00 00 40 50 a4 6b 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 03 64 69 54 58 74 58 4d 4c 3a
                                                                                                                                                                                    Data Ascii: PNGIHDRB@PktEXtSoftwareAdobe ImageReadyqe<diTXtXML:com.adobe.xmp<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/0
                                                                                                                                                                                    Oct 29, 2021 17:51:16.141783953 CEST1668INData Raw: 7a 39 65 5f 9f 8d 87 24 30 07 24 68 fb 21 9a e0 f8 37 fe 86 cf fe fb 7e 0a 6d 76 f3 9d 79 ad 18 06 fb 84 84 ee 59 d5 82 49 3e 89 c0 7a 9b 52 94 f1 a6 08 c2 56 27 8d d2 21 a6 e4 65 1e 4e 88 76 0d 82 61 dc 9a b1 af 48 d0 de 5c cf 8e 42 20 bc 88 bf
                                                                                                                                                                                    Data Ascii: z9e_$0$h!7~mvyYI>zRV'!eNvaH\B F>#ksBF[Bj*pJyu1G3Y=A{Z5kd"~}9c {Y_iqx?]bRH/lZjY"8_iv]}~;m`:<7QgSJ*z\w$
                                                                                                                                                                                    Oct 29, 2021 17:51:16.141824007 CEST1670INData Raw: be 9f 29 66 2b 2c 6f 56 f1 46 11 7c ec 19 e1 8e 88 a0 43 22 30 2a 75 a5 a3 f1 92 76 eb 56 cb c8 eb 95 86 3e 92 fa aa b0 1d 85 e6 cd 2a 9a ad c7 39 b7 6f b4 46 d0 aa f6 b2 20 3b 23 cd 66 e7 1c df ca da 1b 2d 34 6f 96 15 b6 0e 0b 23 dd fe 8f e2 df
                                                                                                                                                                                    Data Ascii: )f+,oVF|C"0*uvV>*9oF ;#f-4o#+27xo9ss T/_cyv'kV9Wh%|.Xu}Vl,$|M{>`Fu1C2a6*&Darkf5\Zy?A\}


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    14192.168.2.44978788.212.201.19880C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    Oct 29, 2021 17:51:15.440135956 CEST1437OUTGET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456 HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/firstpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: counter.yadro.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Oct 29, 2021 17:51:15.499608040 CEST1439INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:23 GMT
                                                                                                                                                                                    Server: 0W/0.8c
                                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                                    Location: https://counter.yadro.ru/hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456
                                                                                                                                                                                    Content-Length: 32
                                                                                                                                                                                    Expires: Wed, 28 Oct 2020 21:00:00 GMT
                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                    Cache-control: no-cache
                                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 4d 6f 76 65 64 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                    Data Ascii: <html><body>Moved</body></html>


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    15192.168.2.44978887.250.251.11980C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    Oct 29, 2021 17:51:15.440211058 CEST1437OUTGET /metrika/watch.js HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/secondpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: mc.yandex.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Oct 29, 2021 17:51:15.481770992 CEST1438INHTTP/1.1 302 Moved temporarily
                                                                                                                                                                                    Content-Length: 0
                                                                                                                                                                                    Location: https://mc.yandex.ru/metrika/watch.js


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    16192.168.2.44978987.250.251.11980C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    Oct 29, 2021 17:51:15.440260887 CEST1438OUTGET /metrika/watch.js HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/firstpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: mc.yandex.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Oct 29, 2021 17:51:15.482186079 CEST1439INHTTP/1.1 302 Moved temporarily
                                                                                                                                                                                    Content-Length: 0
                                                                                                                                                                                    Location: https://mc.yandex.ru/metrika/watch.js


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    17192.168.2.44978688.212.201.19880C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    Oct 29, 2021 17:51:15.440336943 CEST1438OUTGET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339 HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/secondpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: counter.yadro.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Oct 29, 2021 17:51:15.503304958 CEST1440INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:23 GMT
                                                                                                                                                                                    Server: 0W/0.8c
                                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                                    Location: https://counter.yadro.ru/hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339
                                                                                                                                                                                    Content-Length: 32
                                                                                                                                                                                    Expires: Wed, 28 Oct 2020 21:00:00 GMT
                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                    Cache-control: no-cache
                                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 4d 6f 76 65 64 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                    Data Ascii: <html><body>Moved</body></html>


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    2192.168.2.44979187.250.251.119443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    3192.168.2.44979388.212.201.198443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    4192.168.2.44979588.212.201.198443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    5192.168.2.44979488.212.201.198443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    6192.168.2.44979687.250.251.119443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    7192.168.2.44979787.250.251.119443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    8192.168.2.44979887.250.251.119443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    9192.168.2.44979987.250.251.119443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData


                                                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    0192.168.2.44979087.250.251.119443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    2021-10-29 15:51:15 UTC0OUTGET /metrika/watch.js HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/secondpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Host: mc.yandex.ru
                                                                                                                                                                                    2021-10-29 15:51:16 UTC1INHTTP/1.1 200 OK
                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                                    Cache-Control: max-age=3600
                                                                                                                                                                                    Connection: Close
                                                                                                                                                                                    Content-Length: 132911
                                                                                                                                                                                    Content-Type: application/javascript
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:16 GMT
                                                                                                                                                                                    ETag: "617677e6-2072f"
                                                                                                                                                                                    Expires: Fri, 29 Oct 2021 16:51:16 GMT
                                                                                                                                                                                    Last-Modified: Mon, 25 Oct 2021 12:24:54 GMT
                                                                                                                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                    2021-10-29 15:51:16 UTC1INData Raw: ef bb bf 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 28 66 75 6e 63 74 69 6f 6e 28 4a 63 29 7b 66 75 6e 63 74 69 6f 6e 20 48 69 28 61 29 7b 72 65 74 75 72 6e 20 61 2e 72 65 70 6c 61 63 65 28 49 69 2c 66 75 6e 63 74 69 6f 6e 28 62 2c 63 2c 64 2c 65 29 7b 72 65 74 75 72 6e 22 22 2b 63 2b 65 7d 29 7d 66 75 6e 63 74 69 6f 6e 20 4b 63 28 61 2c 62 29 7b 69 66 28 21 62 29 72 65 74 75 72 6e 21 31 3b 76 61 72 20 63 3d 4d 28 61 29 3b 72 65 74 75 72 6e 28 6e 65 77 20 52 65 67 45 78 70 28 62 29 29 2e 74 65 73 74 28 22 22 2b 63 2e 70 61 74 68 6e 61 6d 65 2b 63 2e 68 61 73 68 2b 63 2e 73 65 61 72 63 68 29 7d 66 75 6e 63 74 69 6f 6e 20 4a 69 28 61 2c 62 29 7b 72 65 74 75 72 6e 20 44 61 28 61 2c 62 2c 66 75 6e 63 74 69 6f 6e 28 63 29 7b 76 61 72 20 64 3d 6e 28 63 2c
                                                                                                                                                                                    Data Ascii: (function(){try{(function(Jc){function Hi(a){return a.replace(Ii,function(b,c,d,e){return""+c+e})}function Kc(a,b){if(!b)return!1;var c=M(a);return(new RegExp(b)).test(""+c.pathname+c.hash+c.search)}function Ji(a,b){return Da(a,b,function(c){var d=n(c,
                                                                                                                                                                                    2021-10-29 15:51:16 UTC14INData Raw: 74 61 26 26 28 64 3d 30 3c 61 2e 77 68 65 65 6c 44 65 6c 74 61 3f 32 3a 30 3e 61 2e 77 68 65 65 6c 44 65 6c 74 61 3f 31 3a 30 29 3b 69 66 28 64 29 7b 76 61 72 20 65 3d 4d 63 28 62 2c 61 29 3b 61 3d 64 62 28 62 2c 63 29 3b 62 3d 74 61 28 62 29 3b 65 3d 5b 65 2e 78 2c 65 2e 79 5d 3b 63 3d 63 5b 6d 61 5d 3b 69 66 28 21 63 7c 7c 30 3e 63 29 63 3d 5b 5d 3b 65 6c 73 65 7b 76 61 72 20 66 3d 5b 5d 3b 75 61 28 66 2c 33 31 29 3b 7a 28 66 2c 62 29 3b 7a 28 66 2c 63 29 3b 7a 28 66 2c 65 5b 30 5d 29 3b 7a 28 66 2c 65 5b 31 5d 29 3b 75 61 28 66 2c 30 29 3b 75 61 28 66 2c 30 29 3b 75 61 28 66 2c 64 29 3b 63 3d 66 7d 72 65 74 75 72 6e 20 50 28 61 2c 63 29 7d 7d 7d 66 75 6e 63 74 69 6f 6e 20 6d 66 28 61 29 7b 76 61 72 20 62 3d 61 2e 6f 3b 61 3d 4c 64 28 62 29 3b 76 61 72
                                                                                                                                                                                    Data Ascii: ta&&(d=0<a.wheelDelta?2:0>a.wheelDelta?1:0);if(d){var e=Mc(b,a);a=db(b,c);b=ta(b);e=[e.x,e.y];c=c[ma];if(!c||0>c)c=[];else{var f=[];ua(f,31);z(f,b);z(f,c);z(f,e[0]);z(f,e[1]);ua(f,0);ua(f,0);ua(f,d);c=f}return P(a,c)}}}function mf(a){var b=a.o;a=Ld(b);var
                                                                                                                                                                                    2021-10-29 15:51:16 UTC22INData Raw: 2b 63 2b 22 2e 22 29 3b 47 64 28 61 2c 62 2c 22 62 74 6e 22 2c 64 29 28 63 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 4b 6a 28 61 2c 62 29 7b 76 61 72 20 63 3d 41 61 28 61 29 3b 69 66 28 22 22 21 3d 3d 63 2e 62 28 22 63 63 22 29 29 72 65 74 75 72 6e 20 30 3b 76 61 72 20 64 3d 76 28 22 63 63 22 2c 63 2e 6c 29 3b 64 28 30 29 3b 76 61 72 20 65 3d 57 28 61 29 2c 66 3d 4c 28 61 29 3b 66 3d 71 28 54 28 57 61 28 7b 44 61 3a 31 7d 29 2b 22 2e 63 22 29 2c 4d 62 28 66 75 6e 63 74 69 6f 6e 28 67 29 7b 64 28 67 2b 22 26 22 2b 65 28 58 61 29 29 7d 29 2c 76 28 22 63 63 22 2c 66 2e 6c 29 29 3b 64 61 28 61 2c 22 36 22 2c 62 29 28 7b 7d 29 2e 74 68 65 6e 28 66 29 5b 22 63 61 74 63 68 22 5d 28 71 28 4d 62 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 67 3d 65 28 58 61 29 3b 63
                                                                                                                                                                                    Data Ascii: +c+".");Gd(a,b,"btn",d)(c)}}function Kj(a,b){var c=Aa(a);if(""!==c.b("cc"))return 0;var d=v("cc",c.l);d(0);var e=W(a),f=L(a);f=q(T(Wa({Da:1})+".c"),Mb(function(g){d(g+"&"+e(Xa))}),v("cc",f.l));da(a,"6",b)({}).then(f)["catch"](q(Mb(function(){var g=e(Xa);c
                                                                                                                                                                                    2021-10-29 15:51:16 UTC30INData Raw: 75 72 6e 20 53 28 66 75 6e 63 74 69 6f 6e 28 64 2c 65 29 7b 64 5b 65 5d 3d 63 28 22 28 22 2b 65 2b 22 29 22 29 3b 72 65 74 75 72 6e 20 64 7d 2c 7b 7d 2c 6e 6b 29 7d 66 75 6e 63 74 69 6f 6e 20 56 69 28 61 29 7b 61 3d 65 62 28 61 29 3b 69 66 28 21 61 29 72 65 74 75 72 6e 22 22 3b 61 3d 61 28 22 76 69 64 65 6f 22 29 3b 74 72 79 7b 76 61 72 20 62 3d 63 61 28 22 63 61 6e 50 6c 61 79 54 79 70 65 22 2c 61 29 2c 63 3d 76 62 28 66 75 6e 63 74 69 6f 6e 28 64 29 7b 72 65 74 75 72 6e 20 49 28 71 28 4b 2c 63 61 28 22 63 6f 6e 63 61 74 22 2c 64 2b 22 3b 20 63 6f 64 65 63 73 3d 22 29 29 2c 6f 6b 29 7d 2c 61 67 29 3b 72 65 74 75 72 6e 20 49 28 62 2c 5b 5d 2e 63 6f 6e 63 61 74 28 61 67 2c 63 29 29 7d 63 61 74 63 68 28 64 29 7b 72 65 74 75 72 6e 22 63 61 6e 50 6c 61 79 54
                                                                                                                                                                                    Data Ascii: urn S(function(d,e){d[e]=c("("+e+")");return d},{},nk)}function Vi(a){a=eb(a);if(!a)return"";a=a("video");try{var b=ca("canPlayType",a),c=vb(function(d){return I(q(K,ca("concat",d+"; codecs=")),ok)},ag);return I(b,[].concat(ag,c))}catch(d){return"canPlayT
                                                                                                                                                                                    2021-10-29 15:51:16 UTC38INData Raw: 74 75 72 6e 20 64 26 26 21 65 3f 66 3a 67 7d 29 7d 66 75 6e 63 74 69 6f 6e 20 24 6b 28 61 2c 62 2c 63 2c 64 29 7b 62 3d 64 2e 62 28 22 63 63 22 29 3b 64 3d 47 28 5b 22 63 63 22 2c 22 22 5d 2c 64 2e 6c 29 3b 69 66 28 62 29 7b 76 61 72 20 65 3d 62 2e 73 70 6c 69 74 28 22 26 22 29 3b 62 3d 65 5b 30 5d 3b 69 66 28 28 65 3d 28 65 3d 65 5b 31 5d 29 26 26 70 61 72 73 65 49 6e 74 28 65 2c 31 30 29 29 26 26 31 34 34 30 3c 57 28 61 29 28 58 61 29 2d 65 29 72 65 74 75 72 6e 20 64 28 29 3b 63 2e 6c 28 22 63 63 22 2c 62 29 7d 65 6c 73 65 20 73 61 28 30 29 28 62 29 7c 7c 64 28 29 7d 66 75 6e 63 74 69 6f 6e 20 61 6c 28 61 2c 62 2c 63 2c 64 29 7b 72 65 74 75 72 6e 20 44 61 28 61 2c 62 2c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 69 66 28 22 30 22 3d 3d 3d 6e 28 65 2c 22 73 65
                                                                                                                                                                                    Data Ascii: turn d&&!e?f:g})}function $k(a,b,c,d){b=d.b("cc");d=G(["cc",""],d.l);if(b){var e=b.split("&");b=e[0];if((e=(e=e[1])&&parseInt(e,10))&&1440<W(a)(Xa)-e)return d();c.l("cc",b)}else sa(0)(b)||d()}function al(a,b,c,d){return Da(a,b,function(e){if("0"===n(e,"se
                                                                                                                                                                                    2021-10-29 15:51:16 UTC78INData Raw: 20 76 61 28 66 75 6e 63 74 69 6f 6e 28 62 2c 63 29 7b 63 28 61 29 7d 29 7d 66 75 6e 63 74 69 6f 6e 20 77 6b 28 61 29 7b 72 65 74 75 72 6e 20 76 61 28 66 75 6e 63 74 69 6f 6e 28 62 2c 63 29 7b 61 2e 74 68 65 6e 28 63 2c 62 29 7d 29 7d 66 75 6e 63 74 69 6f 6e 20 76 6b 28 61 29 7b 76 61 72 20 62 3d 5b 5d 2c 63 3d 21 31 3b 72 65 74 75 72 6e 20 76 61 28 66 75 6e 63 74 69 6f 6e 28 64 2c 65 29 7b 66 75 6e 63 74 69 6f 6e 20 66 28 67 29 7b 62 2e 70 75 73 68 28 67 29 3d 3d 3d 61 2e 6c 65 6e 67 74 68 26 26 64 28 62 29 7d 44 28 66 75 6e 63 74 69 6f 6e 28 67 29 7b 67 28 50 63 28 66 2c 66 75 6e 63 74 69 6f 6e 28 68 29 7b 69 66 28 21 63 29 74 72 79 7b 65 28 68 29 2c 63 3d 21 30 7d 63 61 74 63 68 28 6b 29 7b 66 28 6b 29 7d 7d 29 29 7d 2c 61 29 7d 29 7d 66 75 6e 63 74 69
                                                                                                                                                                                    Data Ascii: va(function(b,c){c(a)})}function wk(a){return va(function(b,c){a.then(c,b)})}function vk(a){var b=[],c=!1;return va(function(d,e){function f(g){b.push(g)===a.length&&d(b)}D(function(g){g(Pc(f,function(h){if(!c)try{e(h),c=!0}catch(k){f(k)}}))},a)})}functi
                                                                                                                                                                                    2021-10-29 15:51:16 UTC86INData Raw: 3b 29 64 2b 3d 65 5b 66 5d 7c 7c 22 2a 22 2c 64 2b 3d 6b 68 28 61 2c 62 2c 63 29 7c 7c 22 22 2c 62 3d 62 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 2c 66 3d 4c 61 28 62 29 7c 7c 22 2a 22 3b 72 65 74 75 72 6e 20 7a 62 28 64 2c 31 32 38 29 7d 66 75 6e 63 74 69 6f 6e 20 6b 68 28 61 2c 62 2c 63 29 7b 69 66 28 61 3d 64 64 28 61 2c 62 29 29 7b 61 3d 61 2e 63 68 69 6c 64 4e 6f 64 65 73 3b 66 6f 72 28 76 61 72 20 64 3d 62 26 26 62 2e 6e 6f 64 65 4e 61 6d 65 2c 65 3d 30 2c 66 3d 30 3b 66 3c 61 2e 6c 65 6e 67 74 68 3b 66 2b 3d 31 29 69 66 28 64 3d 3d 3d 28 61 5b 66 5d 26 26 61 5b 66 5d 2e 6e 6f 64 65 4e 61 6d 65 29 29 7b 69 66 28 62 3d 3d 3d 61 5b 66 5d 29 72 65 74 75 72 6e 20 65 3b 63 26 26 61 5b 66 5d 3d 3d 3d 63 7c 7c 28 65 2b 3d 31 29 7d 7d 72 65 74 75 72 6e 20
                                                                                                                                                                                    Data Ascii: ;)d+=e[f]||"*",d+=kh(a,b,c)||"",b=b.parentElement,f=La(b)||"*";return zb(d,128)}function kh(a,b,c){if(a=dd(a,b)){a=a.childNodes;for(var d=b&&b.nodeName,e=0,f=0;f<a.length;f+=1)if(d===(a[f]&&a[f].nodeName)){if(b===a[f])return e;c&&a[f]===c||(e+=1)}}return
                                                                                                                                                                                    2021-10-29 15:51:16 UTC94INData Raw: 20 78 68 28 61 2c 62 29 7b 72 65 74 75 72 6e 20 7a 63 28 66 75 6e 63 74 69 6f 6e 28 63 2c 64 2c 65 29 7b 61 28 64 2c 65 29 26 26 63 2e 70 75 73 68 28 64 29 3b 72 65 74 75 72 6e 20 63 7d 2c 5b 5d 2c 62 29 7d 66 75 6e 63 74 69 6f 6e 20 6e 63 28 61 2c 62 29 7b 72 65 74 75 72 6e 20 42 61 28 61 29 3f 21 31 3a 43 65 2e 63 61 6c 6c 28 61 2c 62 29 7d 66 75 6e 63 74 69 6f 6e 20 49 61 28 61 29 7b 69 66 28 41 63 29 72 65 74 75 72 6e 20 41 63 28 61 29 3b 28 41 63 3d 71 61 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 2c 22 69 73 41 72 72 61 79 22 29 29 7c 7c 28 41 63 3d 6d 6d 29 3b 72 65 74 75 72 6e 20 41 63 28 61 29 7d 66 75 6e 63 74 69 6f 6e 20 71 28 29 7b 76 61 72 20 61 3d 6e 61 28 61 72 67 75 6d 65 6e 74 73 29 2c 62 3d 61 2e 73 68 69 66 74 28 29 3b 72 65 74 75 72 6e
                                                                                                                                                                                    Data Ascii: xh(a,b){return zc(function(c,d,e){a(d,e)&&c.push(d);return c},[],b)}function nc(a,b){return Ba(a)?!1:Ce.call(a,b)}function Ia(a){if(Ac)return Ac(a);(Ac=qa(Array.isArray,"isArray"))||(Ac=mm);return Ac(a)}function q(){var a=na(arguments),b=a.shift();return
                                                                                                                                                                                    2021-10-29 15:51:16 UTC102INData Raw: 70 3d 59 28 70 2c 4d 61 28 5b 30 2c 63 2e 63 68 61 72 43 6f 64 65 41 74 28 6c 2b 31 30 29 5d 2c 31 36 29 29 3b 63 61 73 65 20 31 30 3a 70 3d 59 28 70 2c 4d 61 28 5b 30 2c 63 2e 63 68 61 72 43 6f 64 65 41 74 28 6c 2b 39 29 5d 2c 38 29 29 3b 63 61 73 65 20 39 3a 70 3d 59 28 70 2c 5b 30 2c 63 2e 63 68 61 72 43 6f 64 65 41 74 28 6c 2b 38 29 5d 29 2c 70 3d 50 61 28 70 2c 6b 29 2c 70 3d 58 62 28 70 2c 33 33 29 2c 70 3d 50 61 28 70 2c 68 29 2c 64 3d 59 28 64 2c 70 29 3b 63 61 73 65 20 38 3a 6d 3d 59 28 6d 2c 4d 61 28 5b 30 2c 63 2e 63 68 61 72 43 6f 64 65 41 74 28 6c 2b 37 29 5d 2c 35 36 29 29 3b 63 61 73 65 20 37 3a 6d 3d 59 28 6d 2c 4d 61 28 5b 30 2c 63 2e 63 68 61 72 43 6f 64 65 41 74 28 6c 2b 36 29 5d 2c 34 38 29 29 3b 63 61 73 65 20 36 3a 6d 3d 59 28 6d 2c
                                                                                                                                                                                    Data Ascii: p=Y(p,Ma([0,c.charCodeAt(l+10)],16));case 10:p=Y(p,Ma([0,c.charCodeAt(l+9)],8));case 9:p=Y(p,[0,c.charCodeAt(l+8)]),p=Pa(p,k),p=Xb(p,33),p=Pa(p,h),d=Y(d,p);case 8:m=Y(m,Ma([0,c.charCodeAt(l+7)],56));case 7:m=Y(m,Ma([0,c.charCodeAt(l+6)],48));case 6:m=Y(m,
                                                                                                                                                                                    2021-10-29 15:51:16 UTC110INData Raw: 3d 4c 61 28 61 29 26 26 62 28 29 7d 66 75 6e 63 74 69 6f 6e 20 70 64 28 61 2c 62 2c 63 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 64 3d 45 61 28 61 2c 62 29 2c 65 3d 6e 61 28 61 72 67 75 6d 65 6e 74 73 29 3b 69 66 28 64 29 72 65 74 75 72 6e 20 63 2e 61 70 70 6c 79 28 76 6f 69 64 20 30 2c 65 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 51 6d 28 61 2c 62 2c 63 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 64 3d 45 61 28 61 2c 62 29 2c 65 3d 6e 61 28 61 72 67 75 6d 65 6e 74 73 29 3b 63 2e 61 70 70 6c 79 28 76 6f 69 64 20 30 2c 65 29 3b 72 65 74 75 72 6e 20 64 7d 7d 66 75 6e 63 74 69 6f 6e 20 52 6d 28 61 2c 62 2c 63 2c 64 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 65 3d 5b
                                                                                                                                                                                    Data Ascii: =La(a)&&b()}function pd(a,b,c){return function(){var d=Ea(a,b),e=na(arguments);if(d)return c.apply(void 0,e)}}function Qm(a,b,c){return function(){var d=Ea(a,b),e=na(arguments);c.apply(void 0,e);return d}}function Rm(a,b,c,d){return function(){for(var e=[
                                                                                                                                                                                    2021-10-29 15:51:16 UTC118INData Raw: 73 6b 7c 2e 2a 5c 2e 79 61 6e 64 65 78 7c 74 75 72 62 6f 70 61 67 65 73 5c 2e 6f 72 67 7c 74 75 72 62 6f 5c 2e 73 69 74 65 29 24 2f 2c 0a 74 6b 3d 74 28 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 4d 28 61 29 2e 68 6f 73 74 6e 61 6d 65 3b 76 61 72 20 62 3d 21 31 3b 61 26 26 28 62 3d 2d 31 21 3d 3d 61 2e 73 65 61 72 63 68 28 68 6e 29 29 3b 72 65 74 75 72 6e 20 62 7d 29 2c 6a 6e 3d 2f 28 3f 3a 5e 7c 5c 2e 29 28 3f 3a 79 61 7c 79 61 6e 64 65 78 29 5c 2e 28 3f 3a 5c 77 2b 7c 63 6f 6d 3f 5c 2e 5c 77 2b 29 24 2f 2c 6b 6e 3d 74 28 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 4d 28 61 29 2e 68 6f 73 74 6e 61 6d 65 3b 76 61 72 20 62 3d 21 31 3b 61 26 26 28 62 3d 2d 31 21 3d 3d 61 2e 73 65 61 72 63 68 28 6a 6e 29 29 3b 72 65 74 75 72 6e 20 62 7d 29 2c 74 6d 3d 74 28 66
                                                                                                                                                                                    Data Ascii: sk|.*\.yandex|turbopages\.org|turbo\.site)$/,tk=t(function(a){a=M(a).hostname;var b=!1;a&&(b=-1!==a.search(hn));return b}),jn=/(?:^|\.)(?:ya|yandex)\.(?:\w+|com?\.\w+)$/,kn=t(function(a){a=M(a).hostname;var b=!1;a&&(b=-1!==a.search(jn));return b}),tm=t(f
                                                                                                                                                                                    2021-10-29 15:51:16 UTC174INData Raw: 22 3a 22 2a 22 2c 22 2f 22 3a 22 2d 22 2c 22 3d 22 3a 22 5f 22 7d 2c 45 63 3d 74 28 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 6e 28 61 2c 22 63 6f 6e 73 6f 6c 65 22 29 3b 76 61 72 20 62 3d 6e 28 61 2c 22 6c 6f 67 22 29 3b 62 3d 6e 64 28 22 6c 6f 67 22 2c 62 29 3f 45 28 62 2c 61 29 3a 43 3b 76 61 72 20 63 3d 6e 28 61 2c 22 77 61 72 6e 22 29 3b 63 3d 6e 64 28 22 77 61 72 6e 22 2c 63 29 3f 45 28 63 2c 61 29 3a 62 3b 76 61 72 20 64 3d 6e 28 61 2c 22 65 72 72 6f 72 22 29 3b 61 3d 6e 64 28 22 65 72 72 6f 72 22 2c 64 29 3f 45 28 64 2c 61 29 3a 62 3b 72 65 74 75 72 6e 7b 6c 6f 67 3a 62 2c 65 72 72 6f 72 3a 61 2c 77 61 72 6e 3a 63 7d 7d 29 2c 78 6e 3d 41 28 22 70 2e 63 64 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 68 64 28 61 29 7c 7c 0a 41 65 28 61 29 29
                                                                                                                                                                                    Data Ascii: ":"*","/":"-","=":"_"},Ec=t(function(a){a=n(a,"console");var b=n(a,"log");b=nd("log",b)?E(b,a):C;var c=n(a,"warn");c=nd("warn",c)?E(c,a):b;var d=n(a,"error");a=nd("error",d)?E(d,a):b;return{log:b,error:a,warn:c}}),xn=A("p.cd",function(a){if(hd(a)||Ae(a))
                                                                                                                                                                                    2021-10-29 15:51:16 UTC182INData Raw: 75 72 6e 20 6e 75 6c 6c 3b 64 3d 64 2e 63 61 6c 6c 28 61 2e 64 6f 63 75 6d 65 6e 74 2c 0a 22 69 66 72 61 6d 65 22 29 3b 66 3d 28 63 3d 7b 7d 2c 63 2e 63 6f 75 6e 74 65 72 49 64 3d 62 2e 69 64 2c 63 2e 68 69 64 3d 22 22 2b 51 62 28 61 29 2c 63 29 3b 6a 6c 28 61 2c 67 29 3b 63 3d 4c 6e 28 61 2c 66 29 3b 76 61 72 20 6b 3d 4e 6e 28 61 2c 63 28 5b 5d 29 29 3b 44 28 66 75 6e 63 74 69 6f 6e 28 6c 29 7b 76 61 72 20 6d 3d 6e 75 6c 6c 3b 74 72 79 7b 6d 3d 6c 2e 63 6f 6e 74 65 6e 74 57 69 6e 64 6f 77 7d 63 61 74 63 68 28 70 29 7b 7d 6d 26 26 6b 28 6d 2c 7b 74 79 70 65 3a 22 69 6e 69 74 54 6f 43 68 69 6c 64 22 7d 2c 66 75 6e 63 74 69 6f 6e 28 70 2c 75 29 7b 67 2e 4a 28 22 69 6e 69 74 54 6f 50 61 72 65 6e 74 22 2c 5b 70 2c 75 5d 29 7d 29 7d 2c 64 29 3b 48 62 28 61 29
                                                                                                                                                                                    Data Ascii: urn null;d=d.call(a.document,"iframe");f=(c={},c.counterId=b.id,c.hid=""+Qb(a),c);jl(a,g);c=Ln(a,f);var k=Nn(a,c([]));D(function(l){var m=null;try{m=l.contentWindow}catch(p){}m&&k(m,{type:"initToChild"},function(p,u){g.J("initToParent",[p,u])})},d);Hb(a)
                                                                                                                                                                                    2021-10-29 15:51:16 UTC190INData Raw: 3d 0a 64 7d 61 2e 70 72 6f 74 6f 74 79 70 65 2e 51 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 70 61 28 74 68 69 73 2e 6f 2c 71 28 45 28 74 68 69 73 2e 66 6c 75 73 68 2c 74 68 69 73 29 2c 45 28 74 68 69 73 2e 51 62 2c 74 68 69 73 29 29 2c 74 68 69 73 2e 6c 62 2c 22 62 2e 66 22 29 7d 3b 61 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 6e 64 3d 66 75 6e 63 74 69 6f 6e 28 62 2c 63 29 7b 74 68 69 73 2e 55 63 28 62 2c 63 7c 7c 5b 5d 2c 74 68 69 73 2e 56 61 29 3b 74 68 69 73 2e 56 61 2b 3d 31 7d 3b 61 2e 70 72 6f 74 6f 74 79 70 65 2e 70 75 73 68 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 61 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6c 75 73 68 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 72 65 74 75 72 6e 20 61 7d 28 29 2c 67 67 3d 61 61 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b
                                                                                                                                                                                    Data Ascii: =d}a.prototype.Qb=function(){pa(this.o,q(E(this.flush,this),E(this.Qb,this)),this.lb,"b.f")};a.prototype.send=function(b,c){this.Uc(b,c||[],this.Va);this.Va+=1};a.prototype.push=function(){};a.prototype.flush=function(){};return a}(),gg=aa(function(a,b){
                                                                                                                                                                                    2021-10-29 15:51:16 UTC198INData Raw: 5b 5d 3b 63 2e 24 62 3d 37 35 30 30 3b 63 2e 6c 62 3d 33 45 34 3b 63 2e 51 62 28 29 3b 72 65 74 75 72 6e 20 63 7d 70 6d 28 62 2c 61 29 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 70 75 73 68 3d 66 75 6e 63 74 69 6f 6e 28 63 2c 64 29 7b 76 61 72 20 65 3d 74 68 69 73 2e 4f 62 2e 4e 62 28 63 2c 64 29 3b 4a 61 28 74 68 69 73 2e 62 75 66 66 65 72 2c 65 29 3b 74 68 69 73 2e 4f 62 2e 7a 63 28 74 68 69 73 2e 62 75 66 66 65 72 29 3e 74 68 69 73 2e 24 62 26 26 74 68 69 73 2e 66 6c 75 73 68 28 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6c 75 73 68 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 63 3d 74 68 69 73 2e 62 75 66 66 65 72 3b 63 2e 6c 65 6e 67 74 68 26 26 28 74 68 69 73 2e 73 65 6e 64 28 63 29 2c 74 68 69 73 2e 62 75 66 66 65 72 3d 5b 5d 29 7d 3b 72 65 74
                                                                                                                                                                                    Data Ascii: [];c.$b=7500;c.lb=3E4;c.Qb();return c}pm(b,a);b.prototype.push=function(c,d){var e=this.Ob.Nb(c,d);Ja(this.buffer,e);this.Ob.zc(this.buffer)>this.$b&&this.flush()};b.prototype.flush=function(){var c=this.buffer;c.length&&(this.send(c),this.buffer=[])};ret
                                                                                                                                                                                    2021-10-29 15:51:16 UTC206INData Raw: 6e 28 65 29 7b 65 2e 43 28 64 29 7d 29 7d 7d 29 2c 49 6f 3d 41 28 22 66 69 64 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 2c 63 3d 43 3b 69 66 28 21 4f 28 61 2e 50 65 72 66 6f 72 6d 61 6e 63 65 4f 62 73 65 72 76 65 72 29 29 72 65 74 75 72 6e 20 63 3b 76 61 72 20 64 3d 4c 28 61 29 3b 69 66 28 64 2e 62 28 22 66 69 64 6f 22 29 29 72 65 74 75 72 6e 20 63 3b 64 2e 6c 28 22 66 69 64 6f 22 2c 21 30 29 3b 76 61 72 20 65 3d 6e 65 77 20 61 2e 50 65 72 66 6f 72 6d 61 6e 63 65 4f 62 73 65 72 76 65 72 28 78 28 61 2c 22 66 69 64 22 2c 66 75 6e 63 74 69 6f 6e 28 66 29 7b 66 3d 66 2e 67 65 74 45 6e 74 72 69 65 73 28 29 5b 30 5d 3b 64 2e 6c 28 22 66 69 64 22 2c 61 2e 4d 61 74 68 2e 72 6f 75 6e 64 28 31 30 30 2a 28 66 2e 70 72 6f 63 65 73 73 69 6e 67 53 74 61
                                                                                                                                                                                    Data Ascii: n(e){e.C(d)})}}),Io=A("fid",function(a){var b,c=C;if(!O(a.PerformanceObserver))return c;var d=L(a);if(d.b("fido"))return c;d.l("fido",!0);var e=new a.PerformanceObserver(x(a,"fid",function(f){f=f.getEntries()[0];d.l("fid",a.Math.round(100*(f.processingSta
                                                                                                                                                                                    2021-10-29 15:51:16 UTC214INData Raw: 63 5b 31 5d 2c 65 3d 63 5b 32 5d 2c 66 3d 63 2e 73 6c 69 63 65 28 33 29 3b 63 3d 70 61 72 73 65 49 6e 74 28 63 5b 30 5d 2c 32 29 3b 69 66 28 31 3d 3d 3d 63 29 63 3d 22 41 54 35 54 36 6b 75 30 36 6b 45 73 58 4b 33 69 79 42 52 67 6f 36 6c 6b 38 72 43 74 58 34 4b 6a 66 30 71 70 52 65 37 34 76 74 41 70 6c 4f 6b 6b 70 53 69 38 45 39 46 44 54 42 4a 6c 49 56 36 73 7a 47 75 57 61 77 79 49 4c 72 4c 6c 7a 74 77 6c 34 4b 45 71 73 31 70 4e 46 76 4e 64 74 49 72 59 74 52 4f 42 4e 31 67 53 47 53 31 61 64 70 2b 6d 79 72 7a 6d 5a 4b 6f 71 45 72 74 43 76 32 30 57 79 57 69 52 6c 45 71 5a 51 55 7a 76 56 33 73 52 61 31 6e 53 63 6d 6c 78 70 74 77 4c 4c 59 37 6f 22 3b 65 6c 73 65 20 69 66 28 32 3d 3d 3d 63 29 63 3d 22 43 79 32 46 63 72 65 4c 4a 4c 70 59 58 57 33 42 58 46 4a 71
                                                                                                                                                                                    Data Ascii: c[1],e=c[2],f=c.slice(3);c=parseInt(c[0],2);if(1===c)c="AT5T6ku06kEsXK3iyBRgo6lk8rCtX4Kjf0qpRe74vtAplOkkpSi8E9FDTBJlIV6szGuWawyILrLlztwl4KEqs1pNFvNdtIrYtROBN1gSGS1adp+myrzmZKoqErtCv20WyWiRlEqZQUzvV3sRa1nScmlxptwLLY7o";else if(2===c)c="Cy2FcreLJLpYXW3BXFJq


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    1192.168.2.44979288.212.201.198443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    2021-10-29 15:51:15 UTC0OUTGET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339 HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/secondpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Host: counter.yadro.ru
                                                                                                                                                                                    2021-10-29 15:51:16 UTC13INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                                    Server: nginx/1.17.9
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:24 GMT
                                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                                    Content-Length: 32
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    Location: https://counter.yadro.ru/hit;counter1?q;r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339
                                                                                                                                                                                    Expires: Wed, 28 Oct 2020 21:00:00 GMT
                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                    Cache-control: no-cache
                                                                                                                                                                                    P3P: policyref="/w3c/p3p.xml", CP="UNI"
                                                                                                                                                                                    Set-Cookie: FTID=1XV1Xy3Wb9uB1XV1Xy001Ei9; path=/; expires=Fri, 28 Oct 2022 21:00:00 GMT; HttpOnly; Secure; SameSite=None; domain=.yadro.ru
                                                                                                                                                                                    Strict-Transport-Security: max-age=86400
                                                                                                                                                                                    2021-10-29 15:51:16 UTC13INData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 4d 6f 76 65 64 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                    Data Ascii: <html><body>Moved</body></html>


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    10192.168.2.44980087.250.251.119443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    2021-10-29 15:51:21 UTC272OUTGET /watch/14153041/1?callback=_ymjsp355627947&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Ffirstpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1930%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A732524701665%3Ahid%3A87010386%3Az%3A120%3Ai%3A202101029175120%3Aet%3A1635522680%3Ac%3A1%3Arn%3A244404675%3Au%3A1635522678322622628%3Aw%3A148x47%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674781%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C155%2C0%2C2520%2C2521%2C0%2C2520%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522681%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr%2814%29ti%283%29&wmode=5 HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/firstpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: mc.yandex.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cookie: yandexuid=3723159021635522681; i=yROKAQCkQEDp/MhTCtujtSWzFSx7PgG/2QZgPGeQuaYkCYGk4Lr5g33sdF0NzFWf3pPBk9Yj1OF7cHnVzZMM+SWO+Mc=; ymex=1667058681.yrts.1635522681#1667058681.yrtsi.1635522681; yabs-sid=702787781635522681
                                                                                                                                                                                    2021-10-29 15:51:21 UTC273INHTTP/1.1 200 Ok
                                                                                                                                                                                    Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                                                                    Connection: Close
                                                                                                                                                                                    Content-Length: 343
                                                                                                                                                                                    Content-Type: application/javascript
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:21 GMT
                                                                                                                                                                                    Expires: Fri, 29-Oct-2021 15:51:21 GMT
                                                                                                                                                                                    Last-Modified: Fri, 29-Oct-2021 15:51:21 GMT
                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                                                    2021-10-29 15:51:21 UTC274INData Raw: 2f 2a 2a 2f 74 72 79 7b 5f 79 6d 6a 73 70 33 35 35 36 32 37 39 34 37 28 7b 22 61 75 74 6f 5f 67 6f 61 6c 73 22 3a 30 2c 22 62 75 74 74 6f 6e 5f 67 6f 61 6c 73 22 3a 30 2c 22 63 5f 72 65 63 70 22 3a 22 31 2e 30 30 30 30 30 22 2c 22 66 6f 72 6d 5f 67 6f 61 6c 73 22 3a 30 2c 22 70 63 73 22 3a 22 31 22 2c 22 77 65 62 76 69 73 6f 72 22 3a 7b 22 61 72 63 68 5f 74 79 70 65 22 3a 22 6e 6f 6e 65 22 2c 22 64 61 74 65 22 3a 22 32 30 32 30 2d 30 39 2d 30 34 20 32 30 3a 33 32 3a 32 31 22 2c 22 66 6f 72 6d 73 22 3a 31 2c 22 72 65 63 70 22 3a 22 31 2e 30 30 30 30 30 22 7d 2c 22 73 62 70 22 3a 20 7b 22 61 22 3a 22 57 70 33 42 63 78 52 52 36 46 46 48 63 78 42 45 79 39 43 33 36 5a 7a 76 49 70 51 55 54 41 39 68 68 4f 68 75 44 70 42 46 30 6b 5a 37 45 2f 4e 73 6d 53 62 5a 54
                                                                                                                                                                                    Data Ascii: /**/try{_ymjsp355627947({"auto_goals":0,"button_goals":0,"c_recp":"1.00000","form_goals":0,"pcs":"1","webvisor":{"arch_type":"none","date":"2020-09-04 20:32:21","forms":1,"recp":"1.00000"},"sbp": {"a":"Wp3BcxRR6FFHcxBEy9C36ZzvIpQUTA9hhOhuDpBF0kZ7E/NsmSbZT


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    11192.168.2.44980187.250.251.119443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    2021-10-29 15:51:21 UTC274OUTGET /metrika/advert.gif?t=ti(4) HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/firstpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: mc.yandex.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    2021-10-29 15:51:21 UTC275INHTTP/1.1 200 OK
                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                                    Cache-Control: max-age=3600
                                                                                                                                                                                    Connection: Close
                                                                                                                                                                                    Content-Length: 43
                                                                                                                                                                                    Content-Type: image/gif
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:21 GMT
                                                                                                                                                                                    ETag: "617677e6-2b"
                                                                                                                                                                                    Expires: Fri, 29 Oct 2021 16:51:21 GMT
                                                                                                                                                                                    Last-Modified: Mon, 25 Oct 2021 12:24:54 GMT
                                                                                                                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                    2021-10-29 15:51:21 UTC275INData Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 00 00 00 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 02 44 01 00 3b
                                                                                                                                                                                    Data Ascii: GIF89a!,D;


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    2192.168.2.44979187.250.251.119443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    2021-10-29 15:51:15 UTC0OUTGET /metrika/watch.js HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/firstpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Host: mc.yandex.ru
                                                                                                                                                                                    2021-10-29 15:51:16 UTC8INHTTP/1.1 200 OK
                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                                    Cache-Control: max-age=3600
                                                                                                                                                                                    Connection: Close
                                                                                                                                                                                    Content-Length: 132911
                                                                                                                                                                                    Content-Type: application/javascript
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:16 GMT
                                                                                                                                                                                    ETag: "617677e6-2072f"
                                                                                                                                                                                    Expires: Fri, 29 Oct 2021 16:51:16 GMT
                                                                                                                                                                                    Last-Modified: Mon, 25 Oct 2021 12:24:54 GMT
                                                                                                                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                    2021-10-29 15:51:16 UTC8INData Raw: ef bb bf 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 28 66 75 6e 63 74 69 6f 6e 28 4a 63 29 7b 66 75 6e 63 74 69 6f 6e 20 48 69 28 61 29 7b 72 65 74 75 72 6e 20 61 2e 72 65 70 6c 61 63 65 28 49 69 2c 66 75 6e 63 74 69 6f 6e 28 62 2c 63 2c 64 2c 65 29 7b 72 65 74 75 72 6e 22 22 2b 63 2b 65 7d 29 7d 66 75 6e 63 74 69 6f 6e 20 4b 63 28 61 2c 62 29 7b 69 66 28 21 62 29 72 65 74 75 72 6e 21 31 3b 76 61 72 20 63 3d 4d 28 61 29 3b 72 65 74 75 72 6e 28 6e 65 77 20 52 65 67 45 78 70 28 62 29 29 2e 74 65 73 74 28 22 22 2b 63 2e 70 61 74 68 6e 61 6d 65 2b 63 2e 68 61 73 68 2b 63 2e 73 65 61 72 63 68 29 7d 66 75 6e 63 74 69 6f 6e 20 4a 69 28 61 2c 62 29 7b 72 65 74 75 72 6e 20 44 61 28 61 2c 62 2c 66 75 6e 63 74 69 6f 6e 28 63 29 7b 76 61 72 20 64 3d 6e 28 63 2c
                                                                                                                                                                                    Data Ascii: (function(){try{(function(Jc){function Hi(a){return a.replace(Ii,function(b,c,d,e){return""+c+e})}function Kc(a,b){if(!b)return!1;var c=M(a);return(new RegExp(b)).test(""+c.pathname+c.hash+c.search)}function Ji(a,b){return Da(a,b,function(c){var d=n(c,
                                                                                                                                                                                    2021-10-29 15:51:16 UTC46INData Raw: 6b 20 61 7d 7d 63 61 74 63 68 28 48 29 7b 7d 79 3d 7b 7d 7d 49 64 28 64 2c 79 29 3b 69 66 28 21 63 2e 67 65 74 53 68 61 64 65 72 50 72 65 63 69 73 69 6f 6e 46 6f 72 6d 61 74 29 72 65 74 75 72 6e 20 42 28 22 7e 22 2c 64 29 3b 49 64 28 64 2c 66 6a 28 63 29 29 3b 72 65 74 75 72 6e 20 42 28 22 7e 22 2c 64 29 7d 66 75 6e 63 74 69 6f 6e 20 49 64 28 61 2c 62 2c 63 29 7b 76 6f 69 64 20 30 3d 3d 3d 63 26 26 28 63 3d 22 3a 22 29 3b 44 28 66 75 6e 63 74 69 6f 6e 28 64 29 7b 72 65 74 75 72 6e 20 61 2e 70 75 73 68 28 22 22 2b 0a 64 5b 30 5d 2b 63 2b 64 5b 31 5d 29 7d 2c 4e 61 28 62 29 29 7d 66 75 6e 63 74 69 6f 6e 20 67 6a 28 61 29 7b 76 61 72 20 62 3d 68 6a 28 61 29 3b 72 65 74 75 72 6e 20 62 3f 53 28 66 75 6e 63 74 69 6f 6e 28 63 2c 64 2c 65 29 7b 64 3d 22 22 2b 28
                                                                                                                                                                                    Data Ascii: k a}}catch(H){}y={}}Id(d,y);if(!c.getShaderPrecisionFormat)return B("~",d);Id(d,fj(c));return B("~",d)}function Id(a,b,c){void 0===c&&(c=":");D(function(d){return a.push(""+d[0]+c+d[1])},Na(b))}function gj(a){var b=hj(a);return b?S(function(c,d,e){d=""+(
                                                                                                                                                                                    2021-10-29 15:51:16 UTC54INData Raw: 65 74 75 72 6e 20 63 7d 2c 7b 7d 2c 61 29 3b 72 65 74 75 72 6e 20 79 61 28 61 29 2e 6c 65 6e 67 74 68 3f 61 3a 76 6f 69 64 20 30 7d 66 75 6e 63 74 69 6f 6e 20 47 6a 28 61 2c 62 2c 63 29 7b 76 61 72 20 64 3d 21 31 2c 65 3d 22 22 3b 69 66 28 21 69 63 28 62 29 29 72 65 74 75 72 6e 20 4c 62 28 63 2c 22 45 63 6f 6d 6d 65 72 63 65 20 64 61 74 61 20 73 68 6f 75 6c 64 20 62 65 20 61 6e 20 6f 62 6a 65 63 74 22 29 2c 64 3b 76 61 72 20 66 3d 62 2e 67 6f 6f 64 73 3b 0a 73 77 69 74 63 68 28 61 29 7b 63 61 73 65 20 22 64 65 74 61 69 6c 22 3a 63 61 73 65 20 22 61 64 64 22 3a 63 61 73 65 20 22 72 65 6d 6f 76 65 22 3a 49 61 28 66 29 26 26 66 2e 6c 65 6e 67 74 68 3f 28 64 3d 52 64 28 66 75 6e 63 74 69 6f 6e 28 67 29 7b 72 65 74 75 72 6e 20 69 63 28 67 29 26 26 28 56 61 28
                                                                                                                                                                                    Data Ascii: eturn c},{},a);return ya(a).length?a:void 0}function Gj(a,b,c){var d=!1,e="";if(!ic(b))return Lb(c,"Ecommerce data should be an object"),d;var f=b.goods;switch(a){case "detail":case "add":case "remove":Ia(f)&&f.length?(d=Rd(function(g){return ic(g)&&(Va(
                                                                                                                                                                                    2021-10-29 15:51:16 UTC62INData Raw: 52 41 59 5f 42 55 46 46 45 52 2c 64 2c 62 2e 53 54 41 54 49 43 5f 44 52 41 57 29 3b 63 2e 45 63 3d 33 3b 63 2e 4b 63 3d 33 3b 64 3d 62 2e 63 72 65 61 74 65 50 72 6f 67 72 61 6d 28 29 3b 76 61 72 20 65 3d 62 2e 63 72 65 61 74 65 53 68 61 64 65 72 28 62 2e 56 45 52 54 45 58 5f 53 48 41 44 45 52 29 3b 69 66 28 21 64 7c 7c 21 65 29 72 65 74 75 72 6e 22 22 3b 62 2e 73 68 61 64 65 72 53 6f 75 72 63 65 28 65 2c 22 61 74 74 72 69 62 75 74 65 20 76 65 63 32 20 61 74 74 72 56 65 72 74 65 78 3b 76 61 72 79 69 6e 67 20 76 65 63 32 20 76 61 72 79 69 6e 54 65 78 43 6f 6f 72 64 69 6e 61 74 65 3b 75 6e 69 66 6f 72 6d 20 76 65 63 32 20 75 6e 69 66 6f 72 6d 4f 66 66 73 65 74 3b 76 6f 69 64 20 6d 61 69 6e 28 29 7b 76 61 72 79 69 6e 54 65 78 43 6f 6f 72 64 69 6e 61 74 65 3d
                                                                                                                                                                                    Data Ascii: RAY_BUFFER,d,b.STATIC_DRAW);c.Ec=3;c.Kc=3;d=b.createProgram();var e=b.createShader(b.VERTEX_SHADER);if(!d||!e)return"";b.shaderSource(e,"attribute vec2 attrVertex;varying vec2 varyinTexCoordinate;uniform vec2 uniformOffset;void main(){varyinTexCoordinate=
                                                                                                                                                                                    2021-10-29 15:51:16 UTC70INData Raw: 20 4a 28 66 75 6e 63 74 69 6f 6e 28 6c 2c 6d 29 7b 63 2e 5a 61 28 68 2c 6b 2c 66 75 6e 63 74 69 6f 6e 28 70 2c 75 29 7b 6c 28 5b 70 2c 75 5d 29 7d 29 3b 70 61 28 61 2c 76 28 6a 62 28 29 2c 6d 29 2c 35 31 30 30 2c 22 69 73 2e 6f 22 29 7d 29 7d 2c 4b 62 3a 66 75 6e 63 74 69 6f 6e 28 68 29 7b 76 61 72 20 6b 3d 7b 4d 62 3a 5b 5d 2c 68 62 3a 5b 5d 2c 64 61 74 61 3a 68 7d 3b 64 2e 70 75 73 68 28 6b 29 3b 72 65 74 75 72 6e 20 66 28 63 2e 66 61 2c 6b 2c 68 29 7d 2c 4c 62 3a 66 75 6e 63 74 69 6f 6e 28 68 29 7b 76 61 72 20 6b 3d 7b 4d 62 3a 5b 5d 2c 68 62 3a 5b 5d 2c 64 61 74 61 3a 68 7d 3b 65 2e 70 75 73 68 28 6b 29 3b 72 65 74 75 72 6e 20 66 28 63 2e 6a 61 2c 6b 2c 68 29 7d 7d 7d 66 75 6e 63 74 69 6f 6e 20 67 65 28 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f
                                                                                                                                                                                    Data Ascii: J(function(l,m){c.Za(h,k,function(p,u){l([p,u])});pa(a,v(jb(),m),5100,"is.o")})},Kb:function(h){var k={Mb:[],hb:[],data:h};d.push(k);return f(c.fa,k,h)},Lb:function(h){var k={Mb:[],hb:[],data:h};e.push(k);return f(c.ja,k,h)}}}function ge(){return functio
                                                                                                                                                                                    2021-10-29 15:51:16 UTC126INData Raw: 69 6f 6e 28 6b 29 7b 65 2e 53 63 3d 6b 2e 44 61 3b 72 65 74 75 72 6e 20 6e 65 28 61 2c 63 2c 65 29 2e 74 68 65 6e 28 76 28 6b 2e 44 61 2c 4b 29 29 7d 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 72 6c 28 61 29 7b 76 61 72 20 62 3d 22 6d 63 2e 79 61 6e 64 65 78 2e 72 75 22 2c 63 3d 6e 28 61 2c 22 64 6f 63 75 6d 65 6e 74 2e 72 65 66 65 72 72 65 72 22 29 3b 69 66 28 21 63 29 72 65 74 75 72 6e 20 62 3b 28 61 3d 59 64 28 61 2c 63 29 2e 68 6f 73 74 2e 6d 61 74 63 68 28 2f 28 3f 3a 5e 7c 5c 2e 29 28 3f 3a 79 61 7c 79 61 6e 64 65 78 29 5c 2e 28 3f 3a 5c 77 2b 7c 63 6f 6d 3f 5c 2e 5c 77 2b 29 24 2f 29 29 3f 28 61 3d 61 5b 30 5d 2e 73 70 6c 69 74 28 22 79 61 6e 64 65 78 22 29 2e 72 65 76 65 72 73 65 28 29 5b 30 5d 2e 73 75 62 73 74 72 69 6e 67 28 31 29 2c 61 3d 4e 28 61 2c
                                                                                                                                                                                    Data Ascii: ion(k){e.Sc=k.Da;return ne(a,c,e).then(v(k.Da,K))})}}function rl(a){var b="mc.yandex.ru",c=n(a,"document.referrer");if(!c)return b;(a=Yd(a,c).host.match(/(?:^|\.)(?:ya|yandex)\.(?:\w+|com?\.\w+)$/))?(a=a[0].split("yandex").reverse()[0].substring(1),a=N(a,
                                                                                                                                                                                    2021-10-29 15:51:16 UTC134INData Raw: 6c 3b 67 20 69 6e 20 65 68 3f 68 3d 62 2e 67 65 74 41 74 74 72 69 62 75 74 65 26 26 62 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 65 68 5b 67 5d 29 3a 67 20 69 6e 20 55 62 26 26 28 68 3d 22 70 22 3d 3d 3d 67 3f 55 62 5b 67 5d 28 61 2c 62 2c 65 29 3a 22 63 22 3d 3d 3d 67 3f 55 62 5b 67 5d 28 61 2c 62 2c 64 29 3a 55 62 5b 67 5d 28 61 2c 62 29 29 3b 68 26 26 28 68 3d 68 2e 73 6c 69 63 65 28 30 2c 66 68 5b 67 5d 7c 7c 31 30 30 29 2c 66 5b 67 5d 3d 79 65 5b 67 5d 3f 22 22 2b 73 63 28 68 29 3a 68 29 3b 72 65 74 75 72 6e 20 66 7d 2c 7b 7d 2c 63 29 7d 66 75 6e 63 74 69 6f 6e 20 50 66 28 61 2c 62 2c 63 29 7b 69 66 28 61 2e 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 26 26 0a 6b 61 28 22 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c
                                                                                                                                                                                    Data Ascii: l;g in eh?h=b.getAttribute&&b.getAttribute(eh[g]):g in Ub&&(h="p"===g?Ub[g](a,b,e):"c"===g?Ub[g](a,b,d):Ub[g](a,b));h&&(h=h.slice(0,fh[g]||100),f[g]=ye[g]?""+sc(h):h);return f},{},c)}function Pf(a,b,c){if(a.document.querySelectorAll&&ka("querySelectorAll
                                                                                                                                                                                    2021-10-29 15:51:16 UTC142INData Raw: 63 28 61 2c 62 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 63 3d 6e 61 28 61 72 67 75 6d 65 6e 74 73 29 2c 64 3d 63 5b 30 5d 3b 63 3d 63 2e 73 6c 69 63 65 28 31 29 3b 76 61 72 20 65 3d 4c 28 64 29 2c 66 3d 65 2e 62 28 22 6d 36 38 30 22 2c 7b 7d 29 2c 67 3d 6e 28 66 2c 61 29 3b 67 7c 7c 28 67 3d 74 28 62 29 2c 66 5b 61 5d 3d 67 2c 65 2e 6c 28 22 6d 36 38 30 22 2c 66 29 29 3b 72 65 74 75 72 6e 20 67 2e 61 70 70 6c 79 28 76 6f 69 64 20 30 2c 50 28 5b 64 5d 2c 63 29 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 7a 61 28 61 2c 62 29 7b 72 65 74 75 72 6e 20 62 3f 61 28 62 29 3a 61 28 29 7d 66 75 6e 63 74 69 6f 6e 20 74 28 61 2c 62 29 7b 76 61 72 20 63 3d 5b 5d 2c 64 3d 5b 5d 3b 76 61 72 20 65 3d 62 3f 62 3a 4b 3b 72 65 74 75 72 6e 20 66 75 6e
                                                                                                                                                                                    Data Ascii: c(a,b){return function(){var c=na(arguments),d=c[0];c=c.slice(1);var e=L(d),f=e.b("m680",{}),g=n(f,a);g||(g=t(b),f[a]=g,e.l("m680",f));return g.apply(void 0,P([d],c))}}function za(a,b){return b?a(b):a()}function t(a,b){var c=[],d=[];var e=b?b:K;return fun
                                                                                                                                                                                    2021-10-29 15:51:16 UTC150INData Raw: 2d 62 5d 3b 62 2d 3d 33 32 3b 72 65 74 75 72 6e 5b 61 5b 31 5d 3c 3c 62 7c 61 5b 30 5d 3e 3e 3e 33 32 2d 62 2c 61 5b 30 5d 3c 3c 62 7c 61 5b 31 5d 3e 3e 3e 33 32 2d 62 5d 7d 66 75 6e 63 74 69 6f 6e 20 4d 61 28 61 2c 62 29 7b 62 25 3d 36 34 3b 72 65 74 75 72 6e 20 30 3d 3d 3d 62 3f 61 3a 33 32 3e 62 3f 5b 61 5b 30 5d 3c 3c 62 7c 61 5b 31 5d 3e 3e 3e 33 32 2d 62 2c 61 5b 31 5d 3c 3c 62 5d 3a 5b 61 5b 31 5d 3c 3c 62 2d 33 32 2c 30 5d 7d 66 75 6e 63 74 69 6f 6e 20 59 28 61 2c 62 29 7b 72 65 74 75 72 6e 5b 61 5b 30 5d 5e 62 5b 30 5d 2c 61 5b 31 5d 5e 62 5b 31 5d 5d 7d 66 75 6e 63 74 69 6f 6e 20 44 68 28 61 29 7b 61 3d 59 28 61 2c 5b 30 2c 61 5b 30 5d 3e 3e 3e 31 5d 29 3b 61 3d 50 61 28 61 2c 5b 34 32 38 33 35 34 33 35 31 31 2c 33 39 38 31 38 30 36 37 39 37 5d
                                                                                                                                                                                    Data Ascii: -b];b-=32;return[a[1]<<b|a[0]>>>32-b,a[0]<<b|a[1]>>>32-b]}function Ma(a,b){b%=64;return 0===b?a:32>b?[a[0]<<b|a[1]>>>32-b,a[1]<<b]:[a[1]<<b-32,0]}function Y(a,b){return[a[0]^b[0],a[1]^b[1]]}function Dh(a){a=Y(a,[0,a[0]>>>1]);a=Pa(a,[4283543511,3981806797]
                                                                                                                                                                                    2021-10-29 15:51:16 UTC158INData Raw: 72 65 74 75 72 6e 20 50 28 65 63 28 61 29 2c 4c 6d 28 61 29 7c 7c 5b 5d 29 7d 66 75 6e 63 74 69 6f 6e 20 4e 68 28 61 29 7b 72 65 74 75 72 6e 28 61 2e 73 68 69 66 74 4b 65 79 3f 32 3a 30 29 7c 28 61 2e 63 74 72 6c 4b 65 79 3f 34 3a 30 29 7c 28 61 2e 61 6c 74 4b 65 79 3f 31 3a 30 29 7c 28 61 2e 6d 65 74 61 4b 65 79 3f 38 3a 30 29 7c 28 61 2e 63 74 72 6c 4b 65 79 7c 7c 61 2e 61 6c 74 4b 65 79 3f 31 36 3a 30 29 7d 66 75 6e 63 74 69 6f 6e 20 4f 68 28 61 29 7b 76 61 72 20 62 3d 5b 5d 3b 4d 65 7c 7c 28 4d 65 3d 21 30 2c 4c 65 26 26 62 2e 70 75 73 68 2e 61 70 70 6c 79 28 62 2c 44 6d 28 61 2e 6f 2c 74 61 28 61 2e 6f 29 29 29 2c 0a 49 62 28 61 2e 6f 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 4d 65 3d 21 31 7d 2c 22 66 76 2e 63 22 29 29 3b 72 65 74 75 72 6e 20 62 7d 66 75
                                                                                                                                                                                    Data Ascii: return P(ec(a),Lm(a)||[])}function Nh(a){return(a.shiftKey?2:0)|(a.ctrlKey?4:0)|(a.altKey?1:0)|(a.metaKey?8:0)|(a.ctrlKey||a.altKey?16:0)}function Oh(a){var b=[];Me||(Me=!0,Le&&b.push.apply(b,Dm(a.o,ta(a.o))),Ib(a.o,function(){Me=!1},"fv.c"));return b}fu
                                                                                                                                                                                    2021-10-29 15:51:16 UTC166INData Raw: 2e 65 78 70 3d 22 65 78 70 65 72 69 6d 65 6e 74 73 22 3b 77 61 2e 4f 61 3d 22 65 63 6f 6d 6d 65 72 63 65 22 3b 46 62 2e 4f 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 21 30 3d 3d 3d 61 3f 22 64 61 74 61 4c 61 79 65 72 22 3a 22 22 2b 61 7d 3b 77 61 2e 48 3d 22 70 61 72 61 6d 73 22 3b 77 61 2e 49 61 3d 22 75 73 65 72 50 61 72 61 6d 73 22 3b 77 61 2e 73 61 3d 22 61 63 63 75 72 61 74 65 54 72 61 63 6b 42 6f 75 6e 63 65 22 3b 77 61 2e 55 62 3d 22 74 72 69 67 67 65 72 45 76 65 6e 74 22 3b 46 62 2e 55 62 3d 42 6f 6f 6c 65 61 6e 3b 77 61 2e 4a 62 3d 22 73 65 6e 64 54 69 74 6c 65 22 3b 46 62 2e 4a 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 21 21 61 7c 7c 56 28 61 29 7d 3b 77 61 2e 67 62 3d 22 74 72 61 63 6b 48 61 73
                                                                                                                                                                                    Data Ascii: .exp="experiments";wa.Oa="ecommerce";Fb.Oa=function(a){if(a)return!0===a?"dataLayer":""+a};wa.H="params";wa.Ia="userParams";wa.sa="accurateTrackBounce";wa.Ub="triggerEvent";Fb.Ub=Boolean;wa.Jb="sendTitle";Fb.Jb=function(a){return!!a||V(a)};wa.gb="trackHas
                                                                                                                                                                                    2021-10-29 15:51:16 UTC218INData Raw: 28 63 2c 64 2c 65 29 7b 65 2b 3d 31 3b 32 3c 3d 65 26 26 21 63 26 26 28 65 3d 42 28 22 2e 22 2c 62 2e 73 6c 69 63 65 28 2d 65 29 29 2c 4e 66 28 61 2c 65 29 26 26 28 63 3d 0a 65 29 29 3b 72 65 74 75 72 6e 20 63 7d 2c 22 22 2c 62 29 7d 29 2c 78 62 3d 74 28 66 63 29 2c 43 6c 3d 74 28 66 75 6e 63 74 69 6f 6e 28 61 29 7b 5a 67 28 61 2c 22 5f 79 6d 42 52 43 22 2c 22 31 22 29 3b 76 61 72 20 62 3d 22 31 22 21 3d 3d 59 67 28 61 2c 22 5f 79 6d 42 52 43 22 29 3b 62 7c 7c 24 67 28 61 2c 22 5f 79 6d 42 52 43 22 29 3b 72 65 74 75 72 6e 20 62 7d 29 2c 41 61 3d 74 28 58 67 29 2c 74 64 3d 74 28 58 67 2c 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 72 65 74 75 72 6e 22 22 2b 62 2b 63 7d 29 2c 57 3d 74 28 44 67 29 2c 56 67 3d 79 63 28 22 72 22 2c 66 75 6e 63 74 69 6f 6e
                                                                                                                                                                                    Data Ascii: (c,d,e){e+=1;2<=e&&!c&&(e=B(".",b.slice(-e)),Nf(a,e)&&(c=e));return c},"",b)}),xb=t(fc),Cl=t(function(a){Zg(a,"_ymBRC","1");var b="1"!==Yg(a,"_ymBRC");b||$g(a,"_ymBRC");return b}),Aa=t(Xg),td=t(Xg,function(a,b,c){return""+b+c}),W=t(Dg),Vg=yc("r",function
                                                                                                                                                                                    2021-10-29 15:51:16 UTC225INData Raw: 74 69 6f 6e 22 2c 22 6d 6f 7a 52 54 43 50 65 65 72 43 6f 6e 6e 65 63 74 69 6f 6e 22 2c 22 77 65 62 6b 69 74 52 54 43 50 65 65 72 43 6f 6e 6e 65 63 74 69 6f 6e 22 5d 2c 59 63 3d 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 7b 6a 61 3a 7b 7d 2c 70 65 6e 64 69 6e 67 3a 7b 7d 2c 66 61 3a 7b 7d 7d 7d 29 2c 52 65 3d 54 28 22 70 6f 73 74 4d 65 73 73 61 67 65 22 29 2c 4c 6e 3d 61 61 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 29 7b 76 61 72 20 65 2c 66 3d 7b 76 61 3a 57 28 61 29 28 55 29 2c 6b 65 79 3a 61 2e 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2c 64 69 72 3a 30 7d 3b 63 2e 6c 65 6e 67 74 68 26 26 28 66 2e 76 61 3d 70 61 72 73 65 49 6e 74 28 63 5b 30 5d 2c 31 30 29 2c 66 2e 6b 65 79 3d 70 61 72 73 65 46 6c 6f 61 74 28 63 5b 31 5d 29 2c 66 2e
                                                                                                                                                                                    Data Ascii: tion","mozRTCPeerConnection","webkitRTCPeerConnection"],Yc=t(function(){return{ja:{},pending:{},fa:{}}}),Re=T("postMessage"),Ln=aa(function(a,b,c,d){var e,f={va:W(a)(U),key:a.Math.random(),dir:0};c.length&&(f.va=parseInt(c[0],10),f.key=parseFloat(c[1]),f.
                                                                                                                                                                                    2021-10-29 15:51:16 UTC233INData Raw: 3b 63 3d 45 6b 28 61 2c 62 2c 63 29 3b 76 61 72 20 65 3d 62 61 5b 62 5d 2c 66 3d 65 3f 65 28 61 2c 64 2c 63 29 3a 43 61 28 61 2c 64 2c 63 29 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 67 3d 6e 61 28 61 72 67 75 6d 65 6e 74 73 29 2c 68 3d 67 2e 73 6c 69 63 65 28 31 29 3b 67 3d 46 28 67 5b 30 5d 2c 7b 57 3a 5b 62 5d 7d 29 3b 72 65 74 75 72 6e 20 66 2e 61 70 70 6c 79 28 76 6f 69 64 20 30 2c 50 28 5b 67 5d 2c 68 29 29 7d 7d 2c 75 69 29 2c 68 67 3d 74 28 71 28 54 28 22 69 64 22 29 2c 6d 62 28 5b 32 36 38 31 32 36 35 33 5d 29 29 2c 51 29 2c 57 6e 3d 41 28 22 64 63 2e 69 6e 69 74 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 4d 28 61 29 2c 63 3d 45 63 28 61 29 2c 64 3d 78 62 28 61 29 2c 65 3d 69 67 28 61 29 2c 66 3d 65 2e
                                                                                                                                                                                    Data Ascii: ;c=Ek(a,b,c);var e=ba[b],f=e?e(a,d,c):Ca(a,d,c);return function(){var g=na(arguments),h=g.slice(1);g=F(g[0],{W:[b]});return f.apply(void 0,P([g],h))}},ui),hg=t(q(T("id"),mb([26812653])),Q),Wn=A("dc.init",function(a){var b=M(a),c=Ec(a),d=xb(a),e=ig(a),f=e.
                                                                                                                                                                                    2021-10-29 15:51:16 UTC241INData Raw: 75 6c 6c 3b 64 3d 78 28 61 2c 22 63 6c 6d 2e 70 2e 63 22 2c 66 75 6e 63 74 69 6f 6e 28 6c 29 7b 76 61 72 20 6d 3d 67 28 29 3b 69 66 28 6d 29 7b 76 61 72 20 70 3d 22 6f 62 6a 65 63 74 22 3d 3d 3d 74 79 70 65 6f 66 20 6d 3f 6d 3a 7b 7d 2c 75 3d 70 2e 66 69 6c 74 65 72 3b 0a 6d 3d 70 2e 69 73 54 72 61 63 6b 48 61 73 68 7c 7c 21 31 3b 76 61 72 20 72 3d 49 28 66 75 6e 63 74 69 6f 6e 28 79 29 7b 72 65 74 75 72 6e 28 22 22 2b 79 29 2e 74 6f 55 70 70 65 72 43 61 73 65 28 29 7d 2c 70 2e 69 67 6e 6f 72 65 54 61 67 73 7c 7c 5b 5d 29 3b 56 28 68 29 26 26 28 68 3d 70 2e 71 75 6f 74 61 7c 7c 6e 75 6c 6c 29 3b 76 61 72 20 77 3d 21 21 70 2e 71 75 6f 74 61 3b 6c 3d 7b 65 6c 65 6d 65 6e 74 3a 63 6b 28 61 2c 6c 29 2c 70 6f 73 69 74 69 6f 6e 3a 4d 63 28 61 2c 6c 29 2c 62 75
                                                                                                                                                                                    Data Ascii: ull;d=x(a,"clm.p.c",function(l){var m=g();if(m){var p="object"===typeof m?m:{},u=p.filter;m=p.isTrackHash||!1;var r=I(function(y){return(""+y).toUpperCase()},p.ignoreTags||[]);V(h)&&(h=p.quota||null);var w=!!p.quota;l={element:ck(a,l),position:Mc(a,l),bu
                                                                                                                                                                                    2021-10-29 15:51:16 UTC249INData Raw: 22 5f 5f 79 6d 22 2c 6d 29 26 26 6c 3b 6d 3d 21 68 67 28 62 29 3b 6c 3d 6c 62 28 61 2c 62 2c 75 3f 22 53 65 74 20 75 73 65 72 20 69 64 20 22 2b 6c 3a 28 70 3f 22 55 73 65 72 20 70 22 3a 22 50 22 29 2b 22 61 72 61 6d 73 2e 20 43 6f 75 6e 74 65 72 20 22 2b 62 2e 69 64 2c 75 3f 76 6f 69 64 20 30 3a 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 28 66 29 29 3b 68 28 7b 48 3a 66 2c 46 3a 68 61 28 28 63 3d 7b 7d 2c 63 2e 70 61 3d 31 2c 63 2e 61 72 3d 0a 31 2c 63 29 29 2c 44 3a 28 64 3d 7b 7d 2c 64 5b 22 70 61 67 65 2d 75 72 6c 22 5d 3d 6b 7c 7c 4d 28 61 29 2e 68 72 65 66 2c 64 29 7d 2c 62 29 2e 74 68 65 6e 28 6d 3f 6c 3a 43 29 5b 22 63 61 74 63 68 22 5d 28 78 28 61 2c 22 70 2e 73 22 29 29 2e 74 68 65 6e 28 45 28 6f 62 2c 6e 75 6c 6c 2c 61 2c 67 2c 65 29 29 7d 7d 29
                                                                                                                                                                                    Data Ascii: "__ym",m)&&l;m=!hg(b);l=lb(a,b,u?"Set user id "+l:(p?"User p":"P")+"arams. Counter "+b.id,u?void 0:JSON.stringify(f));h({H:f,F:ha((c={},c.pa=1,c.ar=1,c)),D:(d={},d["page-url"]=k||M(a).href,d)},b).then(m?l:C)["catch"](x(a,"p.s")).then(E(ob,null,a,g,e))}})
                                                                                                                                                                                    2021-10-29 15:51:16 UTC257INData Raw: 69 73 4e 61 4e 28 63 29 3f 63 3d 30 3a 28 63 3d 4d 61 74 68 2e 6d 69 6e 28 63 2c 64 29 2c 63 3d 4d 61 74 68 2e 6d 61 78 28 63 2c 30 29 29 3b 72 65 74 75 72 6e 20 63 7d 29 2c 6d 70 3d 5b 5b 5b 22 45 55 52 22 2c 22 5c 75 32 30 61 63 22 5d 2c 0a 22 39 37 38 22 5d 2c 5b 5b 22 55 53 44 22 2c 22 5c 75 30 34 32 33 5c 5c 2e 5c 75 30 34 31 35 5c 5c 2e 22 2c 22 5c 5c 24 22 5d 2c 22 38 34 30 22 5d 2c 5b 5b 22 55 41 48 22 2c 22 5c 75 30 34 31 33 5c 75 30 34 32 30 5c 75 30 34 31 64 22 2c 22 5c 75 32 30 62 34 22 5d 2c 22 39 38 30 22 5d 2c 5b 22 5c 75 30 34 32 32 5c 75 30 34 31 33 20 4b 5a 54 20 5c 75 32 30 62 38 20 5c 75 30 34 32 32 5c 75 30 34 61 32 5c 75 30 34 31 33 20 54 45 4e 47 45 20 5c 75 30 34 32 32 5c 75 30 34 31 35 5c 75 30 34 31 64 5c 75 30 34 31 33 5c 75 30
                                                                                                                                                                                    Data Ascii: isNaN(c)?c=0:(c=Math.min(c,d),c=Math.max(c,0));return c}),mp=[[["EUR","\u20ac"],"978"],[["USD","\u0423\\.\u0415\\.","\\$"],"840"],[["UAH","\u0413\u0420\u041d","\u20b4"],"980"],["\u0422\u0413 KZT \u20b8 \u0422\u04a2\u0413 TENGE \u0422\u0415\u041d\u0413\u0


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    3192.168.2.44979388.212.201.198443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    2021-10-29 15:51:15 UTC1OUTGET /hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456 HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/firstpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Host: counter.yadro.ru
                                                                                                                                                                                    2021-10-29 15:51:16 UTC14INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                                    Server: nginx/1.17.9
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:24 GMT
                                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                                    Content-Length: 32
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    Location: https://counter.yadro.ru/hit;counter1?q;r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456
                                                                                                                                                                                    Expires: Wed, 28 Oct 2020 21:00:00 GMT
                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                    Cache-control: no-cache
                                                                                                                                                                                    P3P: policyref="/w3c/p3p.xml", CP="UNI"
                                                                                                                                                                                    Set-Cookie: FTID=1XV1Xy3Wb9uB1XV1Xy001EiW; path=/; expires=Fri, 28 Oct 2022 21:00:00 GMT; HttpOnly; Secure; SameSite=None; domain=.yadro.ru
                                                                                                                                                                                    Strict-Transport-Security: max-age=86400
                                                                                                                                                                                    2021-10-29 15:51:16 UTC14INData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 4d 6f 76 65 64 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                    Data Ascii: <html><body>Moved</body></html>


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    4192.168.2.44979588.212.201.198443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    2021-10-29 15:51:16 UTC263OUTGET /hit;counter1?q;r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/firstpage.html;0.34476715437082456 HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/firstpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Host: counter.yadro.ru
                                                                                                                                                                                    Cookie: FTID=1XV1Xy3Wb9uB1XV1Xy001EiW
                                                                                                                                                                                    2021-10-29 15:51:16 UTC264INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx/1.17.9
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:24 GMT
                                                                                                                                                                                    Content-Type: image/gif
                                                                                                                                                                                    Content-Length: 43
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    Expires: Wed, 28 Oct 2020 21:00:00 GMT
                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                    Cache-control: no-cache
                                                                                                                                                                                    P3P: policyref="/w3c/p3p.xml", CP="UNI"
                                                                                                                                                                                    Set-Cookie: VID=27k9Bf33T4OB1XV1Xy001PnT; path=/; expires=Fri, 28 Oct 2022 21:00:00 GMT; HttpOnly; Secure; SameSite=None; domain=.yadro.ru
                                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                                    Strict-Transport-Security: max-age=86400
                                                                                                                                                                                    2021-10-29 15:51:16 UTC265INData Raw: 47 49 46 38 39 61 01 00 01 00 80 ff 00 c0 c0 c0 00 00 00 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 02 44 01 00 3b
                                                                                                                                                                                    Data Ascii: GIF89a!,D;


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    5192.168.2.44979488.212.201.198443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    2021-10-29 15:51:16 UTC263OUTGET /hit;counter1?q;r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339 HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/secondpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Host: counter.yadro.ru
                                                                                                                                                                                    Cookie: FTID=1XV1Xy3Wb9uB1XV1Xy001Ei9
                                                                                                                                                                                    2021-10-29 15:51:16 UTC264INHTTP/1.1 200 OK
                                                                                                                                                                                    Server: nginx/1.17.9
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:24 GMT
                                                                                                                                                                                    Content-Type: image/gif
                                                                                                                                                                                    Content-Length: 43
                                                                                                                                                                                    Connection: close
                                                                                                                                                                                    Expires: Wed, 28 Oct 2020 21:00:00 GMT
                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                    Cache-control: no-cache
                                                                                                                                                                                    P3P: policyref="/w3c/p3p.xml", CP="UNI"
                                                                                                                                                                                    Set-Cookie: VID=27k78t1mnSOB1XV1Xy001Exq; path=/; expires=Fri, 28 Oct 2022 21:00:00 GMT; HttpOnly; Secure; SameSite=None; domain=.yadro.ru
                                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                                    Strict-Transport-Security: max-age=86400
                                                                                                                                                                                    2021-10-29 15:51:16 UTC264INData Raw: 47 49 46 38 39 61 01 00 01 00 80 ff 00 c0 c0 c0 00 00 00 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 02 44 01 00 3b
                                                                                                                                                                                    Data Ascii: GIF89a!,D;


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    6192.168.2.44979687.250.251.119443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    2021-10-29 15:51:20 UTC265OUTGET /watch/14153041?callback=_ymjsp303195921&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Fsecondpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1976%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A1156845228070%3Ahid%3A271984739%3Az%3A120%3Ai%3A202101029175118%3Aet%3A1635522678%3Ac%3A1%3Arn%3A1015963535%3Au%3A1635522678322622628%3Aw%3A148x55%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674734%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C128%2C0%2C1973%2C1975%2C0%2C1973%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522680%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr(14)ti(3)&wmode=5 HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/secondpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: mc.yandex.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    2021-10-29 15:51:21 UTC266INHTTP/1.1 302 Moved temporarily
                                                                                                                                                                                    Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                                                                    Connection: Close
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:20 GMT
                                                                                                                                                                                    Expires: Fri, 29-Oct-2021 15:51:20 GMT
                                                                                                                                                                                    Last-Modified: Fri, 29-Oct-2021 15:51:20 GMT
                                                                                                                                                                                    Location: /watch/14153041/1?callback=_ymjsp303195921&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Fsecondpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1976%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A1156845228070%3Ahid%3A271984739%3Az%3A120%3Ai%3A202101029175118%3Aet%3A1635522678%3Ac%3A1%3Arn%3A1015963535%3Au%3A1635522678322622628%3Aw%3A148x55%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674734%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C128%2C0%2C1973%2C1975%2C0%2C1973%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522680%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr%2814%29ti%283%29&wmode=5
                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                    Set-Cookie: yandexuid=847304281635522680; Expires=Sat, 29-Oct-2022 15:51:20 GMT; Domain=.yandex.ru; Path=/
                                                                                                                                                                                    Set-Cookie: yabs-sid=2327043721635522680; Path=/
                                                                                                                                                                                    Set-Cookie: i=vL1T7ICVuHRXpyNPzwMzlaKjl/D94ryPalEPO4xIx2pX5AZpVtBfDP0muIercdmDCjCbNqUK2tSOHbHUPiY/6ZY1euA=; Expires=Mon, 27-Oct-2031 15:51:20 GMT; Domain=.yandex.ru; Path=/; Secure; HttpOnly
                                                                                                                                                                                    Set-Cookie: ymex=1667058680.yrts.1635522680#1667058680.yrtsi.1635522680; Expires=Sat, 29-Oct-2022 15:51:20 GMT; Domain=.yandex.ru; Path=/
                                                                                                                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                                                    2021-10-29 15:51:21 UTC267INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    7192.168.2.44979787.250.251.119443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    2021-10-29 15:51:21 UTC267OUTGET /watch/14153041?callback=_ymjsp355627947&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Ffirstpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1930%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A732524701665%3Ahid%3A87010386%3Az%3A120%3Ai%3A202101029175120%3Aet%3A1635522680%3Ac%3A1%3Arn%3A244404675%3Au%3A1635522678322622628%3Aw%3A148x47%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674781%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C155%2C0%2C2520%2C2521%2C0%2C2520%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522681%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr(14)ti(3)&wmode=5 HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/firstpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: mc.yandex.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    2021-10-29 15:51:21 UTC268INHTTP/1.1 302 Moved temporarily
                                                                                                                                                                                    Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                                                                    Connection: Close
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:21 GMT
                                                                                                                                                                                    Expires: Fri, 29-Oct-2021 15:51:21 GMT
                                                                                                                                                                                    Last-Modified: Fri, 29-Oct-2021 15:51:21 GMT
                                                                                                                                                                                    Location: /watch/14153041/1?callback=_ymjsp355627947&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Ffirstpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1930%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A732524701665%3Ahid%3A87010386%3Az%3A120%3Ai%3A202101029175120%3Aet%3A1635522680%3Ac%3A1%3Arn%3A244404675%3Au%3A1635522678322622628%3Aw%3A148x47%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674781%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C155%2C0%2C2520%2C2521%2C0%2C2520%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522681%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr%2814%29ti%283%29&wmode=5
                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                    Set-Cookie: yandexuid=3723159021635522681; Expires=Sat, 29-Oct-2022 15:51:21 GMT; Domain=.yandex.ru; Path=/
                                                                                                                                                                                    Set-Cookie: yabs-sid=702787781635522681; Path=/
                                                                                                                                                                                    Set-Cookie: i=yROKAQCkQEDp/MhTCtujtSWzFSx7PgG/2QZgPGeQuaYkCYGk4Lr5g33sdF0NzFWf3pPBk9Yj1OF7cHnVzZMM+SWO+Mc=; Expires=Mon, 27-Oct-2031 15:51:14 GMT; Domain=.yandex.ru; Path=/; Secure; HttpOnly
                                                                                                                                                                                    Set-Cookie: ymex=1667058681.yrts.1635522681#1667058681.yrtsi.1635522681; Expires=Sat, 29-Oct-2022 15:51:21 GMT; Domain=.yandex.ru; Path=/
                                                                                                                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                                                    2021-10-29 15:51:21 UTC270INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    8192.168.2.44979887.250.251.119443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    2021-10-29 15:51:21 UTC270OUTGET /metrika/advert.gif?t=ti(4) HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/secondpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: mc.yandex.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    2021-10-29 15:51:21 UTC270INHTTP/1.1 200 OK
                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                                    Cache-Control: max-age=3600
                                                                                                                                                                                    Connection: Close
                                                                                                                                                                                    Content-Length: 43
                                                                                                                                                                                    Content-Type: image/gif
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:21 GMT
                                                                                                                                                                                    ETag: "617677e6-2b"
                                                                                                                                                                                    Expires: Fri, 29 Oct 2021 16:51:21 GMT
                                                                                                                                                                                    Last-Modified: Mon, 25 Oct 2021 12:24:54 GMT
                                                                                                                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                    2021-10-29 15:51:21 UTC270INData Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 00 00 00 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00 01 00 00 02 02 44 01 00 3b
                                                                                                                                                                                    Data Ascii: GIF89a!,D;


                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                    9192.168.2.44979987.250.251.119443C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                    2021-10-29 15:51:21 UTC270OUTGET /watch/14153041/1?callback=_ymjsp303195921&page-url=http%3A%2F%2Fwww.all-bearings.narod.ru%2Fsecondpage.html&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A9ezyymqkmijljhdjn%3Afp%3A1976%3Afu%3A0%3Aen%3Autf-8%3Ala%3Aen-US%3Av%3A680%3Acn%3A1%3Adp%3A0%3Als%3A1156845228070%3Ahid%3A271984739%3Az%3A120%3Ai%3A202101029175118%3Aet%3A1635522678%3Ac%3A1%3Arn%3A1015963535%3Au%3A1635522678322622628%3Aw%3A148x55%3As%3A1280x1024x32%3Aifr%3A1%3Aj%3A1%3Ans%3A1635522674734%3Ads%3A0%2C0%2C0%2C0%2C0%2C0%2C%2C128%2C0%2C1973%2C1975%2C0%2C1973%3Aco%3A0%3Arqnl%3A1%3Ast%3A1635522680%3At%3AHTTP%20404%20Resource%20not%20found&t=gdpr%2814%29ti%283%29&wmode=5 HTTP/1.1
                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                    Referer: http://www.all-bearings.narod.ru/secondpage.html
                                                                                                                                                                                    Accept-Language: en-US
                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                    Host: mc.yandex.ru
                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                    Cookie: yandexuid=847304281635522680; i=vL1T7ICVuHRXpyNPzwMzlaKjl/D94ryPalEPO4xIx2pX5AZpVtBfDP0muIercdmDCjCbNqUK2tSOHbHUPiY/6ZY1euA=; ymex=1667058680.yrts.1635522680#1667058680.yrtsi.1635522680; yabs-sid=2327043721635522680
                                                                                                                                                                                    2021-10-29 15:51:21 UTC273INHTTP/1.1 200 Ok
                                                                                                                                                                                    Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                                                                    Connection: Close
                                                                                                                                                                                    Content-Length: 343
                                                                                                                                                                                    Content-Type: application/javascript
                                                                                                                                                                                    Date: Fri, 29 Oct 2021 15:51:21 GMT
                                                                                                                                                                                    Expires: Fri, 29-Oct-2021 15:51:21 GMT
                                                                                                                                                                                    Last-Modified: Fri, 29-Oct-2021 15:51:21 GMT
                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                                                    2021-10-29 15:51:21 UTC273INData Raw: 2f 2a 2a 2f 74 72 79 7b 5f 79 6d 6a 73 70 33 30 33 31 39 35 39 32 31 28 7b 22 61 75 74 6f 5f 67 6f 61 6c 73 22 3a 30 2c 22 62 75 74 74 6f 6e 5f 67 6f 61 6c 73 22 3a 30 2c 22 63 5f 72 65 63 70 22 3a 22 31 2e 30 30 30 30 30 22 2c 22 66 6f 72 6d 5f 67 6f 61 6c 73 22 3a 30 2c 22 70 63 73 22 3a 22 31 22 2c 22 77 65 62 76 69 73 6f 72 22 3a 7b 22 61 72 63 68 5f 74 79 70 65 22 3a 22 6e 6f 6e 65 22 2c 22 64 61 74 65 22 3a 22 32 30 32 30 2d 30 39 2d 30 34 20 32 30 3a 33 32 3a 32 31 22 2c 22 66 6f 72 6d 73 22 3a 31 2c 22 72 65 63 70 22 3a 22 31 2e 30 30 30 30 30 22 7d 2c 22 73 62 70 22 3a 20 7b 22 61 22 3a 22 64 49 2f 53 48 47 41 4a 56 2b 51 46 38 2b 43 6a 73 68 70 4e 49 6a 41 73 64 6a 58 77 61 4e 53 70 32 70 32 45 74 59 6b 41 78 78 4b 4b 74 63 74 6a 4b 79 2b 69 75
                                                                                                                                                                                    Data Ascii: /**/try{_ymjsp303195921({"auto_goals":0,"button_goals":0,"c_recp":"1.00000","form_goals":0,"pcs":"1","webvisor":{"arch_type":"none","date":"2020-09-04 20:32:21","forms":1,"recp":"1.00000"},"sbp": {"a":"dI/SHGAJV+QF8+CjshpNIjAsdjXwaNSp2p2EtYkAxxKKtctjKy+iu


                                                                                                                                                                                    Code Manipulations

                                                                                                                                                                                    Statistics

                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                    System Behavior

                                                                                                                                                                                    Analysis Process: njw.exe PID: 7120 Parent PID: 6120

                                                                                                                                                                                    General

                                                                                                                                                                                    Start time:17:50:33
                                                                                                                                                                                    Start date:29/10/2021
                                                                                                                                                                                    Path:C:\Users\user\Desktop\njw.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:'C:\Users\user\Desktop\njw.exe'
                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                    File size:1694802 bytes
                                                                                                                                                                                    MD5 hash:3F91F84924D1DB7ACE9AD307FCAE35D1
                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                    Programmed in:Borland Delphi
                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                    Reputation:low

                                                                                                                                                                                    Chronological Activities

                                                                                                                                                                                    Disassembly

                                                                                                                                                                                    Code Analysis

                                                                                                                                                                                    Reset < >

                                                                                                                                                                                      Analysis Process: njw.exe PID: 7120 Parent PID: 6120 njw.exeCOMMON

                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                      Execution Coverage:11.1%
                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:13%
                                                                                                                                                                                      Signature Coverage:8.2%
                                                                                                                                                                                      Total number of Nodes:2000
                                                                                                                                                                                      Total number of Limit Nodes:57

                                                                                                                                                                                      Graph

                                                                                                                                                                                      execution_graph 25202 406250 25203 406260 GetModuleFileNameA 25202->25203 25205 40627c 25202->25205 25206 40648c GetModuleFileNameA RegOpenKeyExA 25203->25206 25207 40650f 25206->25207 25208 4064cf RegOpenKeyExA 25206->25208 25224 4062d4 9 API calls 25207->25224 25208->25207 25209 4064ed RegOpenKeyExA 25208->25209 25209->25207 25212 406598 lstrcpyn GetThreadLocale GetLocaleInfoA 25209->25212 25211 406534 RegQueryValueExA 25213 406554 RegQueryValueExA 25211->25213 25214 406576 RegCloseKey 25211->25214 25215 4066b2 25212->25215 25217 4065cf 25212->25217 25213->25214 25216 406572 25213->25216 25214->25205 25215->25205 25216->25214 25217->25215 25218 4065df lstrlen 25217->25218 25219 4065f7 25218->25219 25219->25215 25220 406644 25219->25220 25221 40661c lstrcpyn LoadLibraryExA 25219->25221 25220->25215 25222 40664e lstrcpyn LoadLibraryExA 25220->25222 25221->25220 25222->25215 25223 406680 lstrcpyn LoadLibraryExA 25222->25223 25223->25215 25224->25211 25358 40b654 25359 40b66a 25358->25359 25361 404e44 153 API calls 25359->25361 25363 40b6ac 25359->25363 25360 4047f8 153 API calls 25362 40b71f 25360->25362 25361->25363 25364 4047f8 153 API calls 25362->25364 25363->25360 25365 40b727 25364->25365 25366 408058 CreateWindowExA 25368 688671 25373 6885c0 25368->25373 25378 6882a0 GetModuleHandleA LocalAlloc 25373->25378 25379 6882da RaiseException 25378->25379 25380 6882eb LocalAlloc 25378->25380 25379->25380 25382 68839e 25380->25382 25383 6883a7 RaiseException 25380->25383 25382->25383 25384 6883b8 25382->25384 25383->25384 25385 6883ea LocalFree GetCurrentProcess GetModuleHandleA 25384->25385 25386 688416 RaiseException 25385->25386 25387 688427 GetProcAddress 25385->25387 25386->25387 25388 688444 RaiseException 25387->25388 25389 688455 LocalAlloc 25387->25389 25388->25389 25391 688500 RaiseException 25389->25391 25392 6884f7 25389->25392 25393 688511 25391->25393 25392->25391 25392->25393 25394 688543 FlushInstructionCache LocalFree LocalFree 25393->25394 25395 68e6f9 3 API calls 25394->25395 25396 688580 25395->25396 25398 688594 25396->25398 25410 688240 InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 25396->25410 25409 68ef5e SetUnhandledExceptionFilter 25398->25409 25400 6885b0 25401 6888c0 25400->25401 25402 6888e2 25401->25402 25403 6888e9 GetExitCodeProcess 25402->25403 25404 688916 Sleep 25402->25404 25405 688906 WaitForSingleObject 25402->25405 25407 688973 25402->25407 25403->25402 25403->25404 25411 68d8ed 13 API calls 25404->25411 25405->25403 25408 68892a GetCurrentProcess TerminateProcess 25408->25402 25409->25400 25410->25398 25411->25408 25476 41d664 25477 41d66d 25476->25477 25478 40a4a8 153 API calls 25477->25478 25479 41d6a8 25478->25479 25480 409814 153 API calls 25479->25480 25481 41d6ba 25480->25481 25516 41c5cc 25481->25516 25484 41d702 25487 40a4a8 153 API calls 25484->25487 25494 41d74e 25484->25494 25485 41d85f 25486 41d872 25485->25486 25488 404ac8 153 API calls 25485->25488 25489 404ac8 153 API calls 25486->25489 25491 41d72c 25487->25491 25488->25486 25490 41d85a 25489->25490 25495 40481c 153 API calls 25490->25495 25492 409814 153 API calls 25491->25492 25497 41d73e 25492->25497 25493 41d77b 25496 404b80 153 API calls 25493->25496 25494->25493 25501 404d58 153 API calls 25494->25501 25498 41d89f 25495->25498 25499 41d7ad 25496->25499 25500 404b80 153 API calls 25497->25500 25502 40481c 153 API calls 25498->25502 25503 41d7e0 25499->25503 25536 40a328 153 API calls 25499->25536 25500->25494 25501->25493 25504 41d8ac 25502->25504 25506 41d83d 25503->25506 25510 41d808 25503->25510 25511 41d83f 25503->25511 25507 404ac8 153 API calls 25506->25507 25507->25490 25508 41d7cb 25509 404b80 153 API calls 25508->25509 25509->25503 25537 40a328 153 API calls 25510->25537 25513 404ac8 153 API calls 25511->25513 25513->25506 25514 41d828 25515 404b80 153 API calls 25514->25515 25515->25506 25517 41c5fc 25516->25517 25518 41c45c 153 API calls 25517->25518 25522 41c66b 25517->25522 25519 41c615 25518->25519 25519->25522 25524 40484c 153 API calls 25519->25524 25520 405350 153 API calls 25521 41c6a7 25520->25521 25523 405350 153 API calls 25521->25523 25522->25520 25525 41c6b5 25523->25525 25526 41c629 25524->25526 25525->25484 25525->25485 25538 41bc7c 153 API calls 25526->25538 25528 41c638 25529 40484c 153 API calls 25528->25529 25530 41c643 25529->25530 25531 41bd80 153 API calls 25530->25531 25532 41c64f 25531->25532 25533 40484c 153 API calls 25532->25533 25534 41c65a 25533->25534 25539 41c0a4 153 API calls 25534->25539 25536->25508 25537->25514 25538->25528 25539->25522 26419 68fe50 26424 689132 EnterCriticalSection 26419->26424 26421 68fe63 26422 68fe76 26421->26422 26423 68fe67 FindNextFileA 26421->26423 26423->26422 26425 689197 26424->26425 26426 68916f 26424->26426 26425->26421 26426->26425 26428 688db1 PathMatchSpecA PathMatchSpecA GetFullPathNameA CharUpperBuffA SetLastError 26426->26428 26428->26425 24062 68fe29 24067 6891e8 EnterCriticalSection 24062->24067 24064 68fe39 24065 68fe49 24064->24065 24066 68fe3d FindClose 24064->24066 24066->24065 24068 689229 24067->24068 24074 68928c 24067->24074 24068->24074 24075 69027c RaiseException HeapCreate RtlFreeHeap 24068->24075 24070 68924e 24071 689267 24070->24071 24076 689780 RaiseException HeapCreate RtlFreeHeap 24070->24076 24071->24074 24077 689780 RaiseException HeapCreate RtlFreeHeap 24071->24077 24074->24064 24075->24070 24076->24071 24077->24074 24078 445e06 24080 445e0b 24078->24080 24079 445e78 24082 445e84 VirtualAlloc VirtualAlloc 24079->24082 24080->24079 24088 42c800 153 API calls 24080->24088 24082->24082 24084 445ebb 24082->24084 24083 445e53 24087 445e64 24083->24087 24089 42c800 153 API calls 24083->24089 24087->24079 24090 40484c 24087->24090 24088->24083 24089->24087 24091 404850 24090->24091 24092 404860 24090->24092 24091->24092 24096 4048bc 24091->24096 24093 40488e 24092->24093 24101 402830 24092->24101 24093->24079 24097 4048c0 24096->24097 24098 4048e4 24096->24098 24105 402810 24097->24105 24098->24092 24102 402848 24101->24102 24103 402835 24101->24103 24102->24093 24103->24102 24110 40292c 153 API calls 24103->24110 24106 402815 24105->24106 24107 402828 24105->24107 24106->24107 24109 40292c 153 API calls 24106->24109 24107->24092 24109->24107 24110->24102 24111 68fa2c 24120 68ccd8 24111->24120 24114 68fa52 24116 68fa49 24116->24114 24198 68c770 24116->24198 24119 68fa65 FreeLibrary 24119->24114 24201 68cc49 24120->24201 24123 68cf7a GetModuleHandleA 24124 68d019 24123->24124 24125 68cfef LoadLibraryA 24123->24125 24234 68ea26 24124->24234 24135 68d00c 24125->24135 24128 68ac70 3 API calls 24129 68d037 24128->24129 24130 68d06a 24129->24130 24131 68d040 LoadLibraryA 24129->24131 24241 68edf2 9 API calls 24130->24241 24134 68d05d 24131->24134 24133 68d076 GetModuleHandleA 24133->24135 24136 68d0af 24133->24136 24134->24116 24135->24134 24242 689bd7 EnterCriticalSection 24136->24242 24139 68d0d3 24255 68e6f9 24139->24255 24144 68d10b 24145 68d11f 24144->24145 24266 68e6e1 RaiseException 24144->24266 24267 689ce6 EnterCriticalSection 24145->24267 24148 68d131 24149 68e6f9 3 API calls 24148->24149 24150 68d13b 24149->24150 24151 68a7e1 29 API calls 24150->24151 24152 68d163 24151->24152 24153 68d177 24152->24153 24285 68e6e1 RaiseException 24152->24285 24155 68d18c 24153->24155 24286 68e6e1 RaiseException 24153->24286 24157 68e6f9 3 API calls 24155->24157 24158 68d1d6 24157->24158 24159 68e6f9 3 API calls 24158->24159 24160 68d206 24159->24160 24161 689ce6 8 API calls 24160->24161 24162 68d233 24161->24162 24163 68a7e1 29 API calls 24162->24163 24164 68d249 24163->24164 24166 68d25d 24164->24166 24287 68e6e1 RaiseException 24164->24287 24167 68d404 24166->24167 24169 68d3ec 24166->24169 24170 68d361 24166->24170 24167->24169 24171 68d42c VirtualAlloc 24167->24171 24168 68d60a CreateFileA 24172 68d78d WriteFile 24168->24172 24173 68d783 24168->24173 24169->24168 24180 68e6f9 3 API calls 24170->24180 24174 689ce6 8 API calls 24171->24174 24176 68d7ab WriteFile 24172->24176 24177 68d7c3 WriteFile FlushFileBuffers CloseHandle LoadLibraryA 24172->24177 24291 68e6e1 RaiseException 24173->24291 24178 68d467 24174->24178 24176->24177 24177->24135 24179 68d807 24177->24179 24181 68a7e1 29 API calls 24178->24181 24292 68ed30 18 API calls 24179->24292 24183 68d37e 24180->24183 24184 68d483 24181->24184 24188 689ce6 8 API calls 24183->24188 24191 68d497 24184->24191 24289 68e6e1 RaiseException 24184->24289 24185 68d816 DeleteFileA 24293 68e6e1 RaiseException 24185->24293 24190 68d3bf 24188->24190 24189 68d55f VirtualFree 24189->24169 24192 68a7e1 29 API calls 24190->24192 24191->24189 24194 68d54d 24191->24194 24197 68cf7a 56 API calls 24191->24197 24290 68e6e1 RaiseException 24191->24290 24195 68d3d8 24192->24195 24194->24189 24195->24169 24288 68e6e1 RaiseException 24195->24288 24197->24191 24307 68c7a0 24198->24307 24215 68ac70 EnterCriticalSection 24201->24215 24203 68cc5d 24204 68cc6a 24203->24204 24205 68ccb0 GetModuleHandleA 24203->24205 24218 68edf2 9 API calls 24204->24218 24207 68ccad 24205->24207 24208 68ccd3 24207->24208 24210 68ccca LoadLibraryA 24207->24210 24208->24114 24208->24123 24209 68cc76 GetModuleHandleA 24211 68cc8e 24209->24211 24212 68cc9f 24209->24212 24210->24208 24211->24212 24213 68cc96 LoadLibraryA 24211->24213 24219 68e77c 24212->24219 24213->24212 24224 68aadd 24215->24224 24217 68acb0 24217->24203 24218->24209 24220 68e788 24219->24220 24221 68e786 24219->24221 24228 68e736 24220->24228 24221->24207 24225 68aaeb 24224->24225 24226 68ab01 GetFullPathNameA CharUpperBuffA 24225->24226 24227 68aafa 24225->24227 24226->24227 24227->24217 24229 68e75f 24228->24229 24230 68e743 HeapCreate 24228->24230 24231 68e777 RtlFreeHeap 24229->24231 24233 68e6e1 RaiseException 24229->24233 24230->24229 24231->24221 24233->24231 24294 68e978 24234->24294 24236 68ea32 24237 68ea63 24236->24237 24300 68e6e1 RaiseException 24236->24300 24239 68d02b 24237->24239 24301 68e6e1 RaiseException 24237->24301 24239->24128 24241->24133 24243 68aadd 2 API calls 24242->24243 24244 689c1d 24243->24244 24245 689cbc 24244->24245 24246 689c25 CreateFileA 24244->24246 24304 689cc7 LeaveCriticalSection 24245->24304 24248 689c50 SetFilePointer 24246->24248 24249 689ca3 24246->24249 24251 68e6f9 3 API calls 24248->24251 24250 689cc5 24249->24250 24250->24139 24254 68e6e1 RaiseException 24250->24254 24252 689c6c 24251->24252 24303 690303 RaiseException RtlAllocateHeap HeapCreate 24252->24303 24254->24139 24256 68e736 2 API calls 24255->24256 24257 68e703 24256->24257 24258 68d0e6 24257->24258 24259 68e710 RtlAllocateHeap 24257->24259 24262 68a7e1 EnterCriticalSection 24258->24262 24259->24258 24260 68e727 24259->24260 24305 68e6e1 RaiseException 24260->24305 24263 68a837 24262->24263 24265 68a81e 24262->24265 24263->24265 24306 68a675 28 API calls 24263->24306 24265->24144 24266->24145 24268 689d23 24267->24268 24269 689d3c 24267->24269 24268->24148 24269->24268 24270 689dbe 24269->24270 24271 689d72 24269->24271 24272 689e1a 24270->24272 24273 689dc4 24270->24273 24274 689d8f 24271->24274 24275 689d7f SetLastError 24271->24275 24279 689e20 24272->24279 24280 689e76 SetLastError 24272->24280 24277 689dda 24273->24277 24278 689dca SetLastError 24273->24278 24274->24268 24276 689d95 SetLastError 24274->24276 24275->24268 24276->24268 24277->24268 24281 689de9 SetLastError 24277->24281 24278->24268 24282 689e40 24279->24282 24283 689e30 SetLastError 24279->24283 24280->24268 24281->24268 24282->24268 24284 689e4a SetLastError 24282->24284 24283->24268 24284->24268 24285->24153 24286->24155 24287->24166 24288->24169 24289->24191 24290->24191 24291->24172 24292->24185 24293->24135 24295 68e6f9 3 API calls 24294->24295 24296 68e988 GetModuleHandleA GetModuleFileNameA 24295->24296 24297 68e9b8 24296->24297 24298 68e9c2 24296->24298 24302 68e6e1 RaiseException 24297->24302 24298->24236 24300->24237 24301->24239 24302->24298 24303->24249 24304->24250 24305->24258 24306->24265 24308 68c7ba 24307->24308 24310 68c790 24308->24310 24314 68c810 24308->24314 24324 68e6e1 RaiseException 24308->24324 24310->24114 24310->24119 24311 68c8a7 GetModuleHandleA 24312 68c7a0 3 API calls 24311->24312 24312->24314 24314->24310 24314->24311 24315 68c930 24314->24315 24316 68c950 24315->24316 24317 68c946 24315->24317 24319 68c96a VirtualProtect 24316->24319 24320 68c9af 24316->24320 24325 68e6e1 RaiseException 24317->24325 24321 68c98a VirtualProtect 24319->24321 24322 68c980 24319->24322 24320->24314 24321->24320 24326 68e6e1 RaiseException 24322->24326 24324->24314 24325->24316 24326->24321 26429 44da3c 26438 44cd40 26429->26438 26432 44cd40 167 API calls 26433 44da78 26432->26433 26434 44cd40 167 API calls 26433->26434 26435 44da96 26434->26435 26436 44cd40 167 API calls 26435->26436 26437 44dab4 26436->26437 26439 44cd61 26438->26439 26440 44ce3c 26439->26440 26442 44cd88 GetModuleHandleA 26439->26442 26441 4061b0 153 API calls 26440->26441 26443 44ce5b 26441->26443 26444 40c358 155 API calls 26442->26444 26445 40481c 153 API calls 26443->26445 26446 44cd98 GetModuleHandleA 26444->26446 26447 44ce68 26445->26447 26449 44cdc1 26446->26449 26450 44cdca 26446->26450 26447->26432 26449->26450 26451 44cde1 26449->26451 26459 42b860 26450->26459 26476 42ba90 26451->26476 26456 44cddf 26456->26440 26457 44ce0e VirtualProtect 26456->26457 26457->26440 26458 44ce25 VirtualProtect 26457->26458 26458->26440 26462 42b8a0 26459->26462 26460 42b95d VirtualQuery 26461 42b972 26460->26461 26460->26462 26464 40481c 153 API calls 26461->26464 26462->26460 26463 42b8d0 GetModuleFileNameA 26462->26463 26463->26462 26467 42b8e9 26463->26467 26465 42b9a6 26464->26465 26469 42bb28 26465->26469 26466 42b124 153 API calls 26466->26467 26467->26462 26467->26466 26468 40484c 153 API calls 26467->26468 26468->26467 26474 42bb31 26469->26474 26470 42bb8e 26471 405350 153 API calls 26470->26471 26473 42bba9 26471->26473 26472 40b254 156 API calls 26472->26474 26473->26456 26474->26470 26474->26472 26475 42ba90 156 API calls 26474->26475 26475->26474 26477 40c1cc IsBadHugeReadPtr 26476->26477 26479 42baa9 26477->26479 26478 42bacd 26484 42b9b8 154 API calls 26478->26484 26479->26478 26481 42bad3 26479->26481 26482 42bae8 VirtualProtect 26479->26482 26481->26456 26482->26479 26483 42bafa VirtualProtect 26482->26483 26483->26479 26484->26481 24327 4204c4 24328 4204cd 24327->24328 24363 4047f8 24328->24363 24332 420570 IsBadHugeReadPtr 24333 420588 24332->24333 24344 4205fe 24332->24344 24367 41308c 24333->24367 24334 42053d 24334->24332 24338 42058d 24372 41e6ec 24338->24372 24339 4061b0 153 API calls 24341 420a25 24339->24341 24426 40689c 24341->24426 24422 40481c 24344->24422 24348 420855 24348->24344 24350 41eb2c 153 API calls 24348->24350 24349 420631 24349->24344 24360 420714 24349->24360 24396 41eefc 24349->24396 24351 4208d4 24350->24351 24351->24344 24419 41f618 153 API calls 24351->24419 24352 42082a 24352->24344 24418 41f408 153 API calls 24352->24418 24355 42093e 24355->24344 24357 420991 24355->24357 24420 41fa60 153 API calls 24357->24420 24359 4209a5 24421 41318c 153 API calls 24359->24421 24360->24344 24360->24348 24360->24352 24417 41f408 153 API calls 24360->24417 24362 4209f5 24364 4047fe 24363->24364 24366 404819 24363->24366 24365 402830 153 API calls 24364->24365 24364->24366 24365->24366 24366->24334 24411 4061b0 24366->24411 24430 40577c 24367->24430 24369 413154 VirtualQuery 24370 41316a 24369->24370 24371 4130a3 24369->24371 24370->24338 24371->24369 24371->24370 24433 41da1c 24372->24433 24375 4061b0 153 API calls 24376 41e729 24375->24376 24377 4061b0 153 API calls 24376->24377 24379 41e73a 24377->24379 24378 41e770 24383 41e78f 24378->24383 24476 41e608 GetCurrentProcess ReadProcessMemory 24378->24476 24379->24378 24380 41df38 161 API calls 24379->24380 24380->24378 24382 41e836 24387 41df38 161 API calls 24382->24387 24388 41e947 24382->24388 24384 41e83b 24383->24384 24385 41e7a8 24383->24385 24384->24382 24384->24388 24389 41df38 161 API calls 24384->24389 24385->24382 24385->24388 24439 41df38 24385->24439 24387->24388 24390 4061b0 153 API calls 24388->24390 24389->24384 24391 41e98a 24390->24391 24391->24344 24392 41eb2c 24391->24392 24393 41eb3c 24392->24393 24394 41eb88 24393->24394 25037 41e9d4 153 API calls 24393->25037 24394->24349 24397 41ef21 24396->24397 24398 41ef86 24397->24398 24404 41d3c0 159 API calls 24397->24404 24399 41f043 24398->24399 24402 41efc7 24398->24402 24400 41f04e VirtualQuery 24399->24400 24403 41efb7 24399->24403 24400->24403 24409 41f060 24400->24409 25038 41ecb4 24402->25038 24403->24349 24405 41ef82 24404->24405 24405->24398 24407 41efab 24405->24407 24406 410a50 2 API calls 24406->24409 25046 41dd00 153 API calls 24407->25046 24409->24403 24409->24406 24410 41ecb4 159 API calls 24409->24410 24410->24409 24412 4061e8 24411->24412 24414 4061b6 24411->24414 24412->24334 24413 4061e0 24415 402830 153 API calls 24413->24415 24414->24412 24414->24413 24416 405384 153 API calls 24414->24416 24415->24412 24416->24413 24417->24360 24418->24348 24419->24355 24420->24359 24421->24362 24423 404822 24422->24423 24424 404848 24423->24424 24425 402830 153 API calls 24423->24425 24424->24339 24425->24423 24427 4068a2 24426->24427 24428 4068af 24426->24428 25047 406980 InterlockedDecrement 24427->25047 24431 402810 153 API calls 24430->24431 24432 405782 24431->24432 24432->24371 24434 41da31 24433->24434 24477 411c84 24434->24477 24436 41da4c 24480 405350 24436->24480 24442 41df76 24439->24442 24440 4047f8 153 API calls 24441 41e5cc 24440->24441 24443 405384 153 API calls 24441->24443 24444 413288 2 API calls 24442->24444 24448 41e000 VirtualQuery 24442->24448 24466 41df94 24442->24466 24446 41e5e2 24443->24446 24447 41dfe9 24444->24447 24446->24385 24447->24448 24758 410a50 24447->24758 24450 41e048 24448->24450 24454 41e08f 24448->24454 24451 41e076 24450->24451 24450->24454 24695 41dde4 24450->24695 24451->24454 24761 41cb28 24451->24761 24455 41e386 24454->24455 24456 41e3a5 GetModuleHandleA 24454->24456 24457 41e19e 24454->24457 24454->24466 24459 413288 2 API calls 24455->24459 24455->24466 24456->24455 24460 41e3c1 24456->24460 24698 41bd80 24457->24698 24462 41e472 24459->24462 24751 41de8c 24460->24751 24461 41e1bf 24461->24455 24702 41ce14 24461->24702 24465 41ce14 159 API calls 24462->24465 24462->24466 24465->24466 24466->24440 24467 41e3cd 24467->24455 24468 41d3c0 159 API calls 24467->24468 24468->24455 24471 41e22c 24471->24455 24472 41bd80 153 API calls 24471->24472 24473 404b0c 153 API calls 24471->24473 24474 41ce14 159 API calls 24471->24474 24475 41d3c0 159 API calls 24471->24475 24472->24471 24473->24471 24474->24471 24475->24471 24476->24383 24484 411714 24477->24484 24481 405362 24480->24481 24483 40537b 24481->24483 24676 405384 24481->24676 24483->24375 24485 411745 24484->24485 24486 4117a0 VirtualQuery 24485->24486 24487 411c08 24486->24487 24488 4117bb 24486->24488 24537 40ade4 153 API calls 24487->24537 24488->24487 24489 4117c8 24488->24489 24506 40c1cc IsBadHugeReadPtr 24489->24506 24492 411c32 24493 40484c 152 API calls 24492->24493 24494 411acc 24493->24494 24495 4047f8 152 API calls 24494->24495 24496 411c5b 24495->24496 24496->24436 24497 41120c 152 API calls 24504 4117d3 24497->24504 24498 411a60 24499 411aa3 24498->24499 24505 411ad1 24498->24505 24500 40484c 152 API calls 24499->24500 24500->24494 24504->24497 24504->24498 24508 4109b4 24504->24508 24511 410ccc 24504->24511 24505->24494 24534 410a38 24505->24534 24507 40c1f2 24506->24507 24507->24504 24538 40de6c 24508->24538 24510 410a2e 24510->24504 24512 410cf3 24511->24512 24513 410d1c 24512->24513 24515 410d3c 24512->24515 24520 410dbb 24512->24520 24523 410ffc 24512->24523 24522 413288 2 API calls 24513->24522 24513->24523 24514 4047f8 153 API calls 24516 4111f4 24514->24516 24519 410a38 2 API calls 24515->24519 24517 4047f8 153 API calls 24516->24517 24518 4111fc 24517->24518 24518->24504 24519->24513 24520->24513 24521 410a38 2 API calls 24520->24521 24524 410e84 24521->24524 24526 410f9d 24522->24526 24523->24514 24524->24513 24528 410a38 2 API calls 24524->24528 24525 410a38 2 API calls 24527 410fc1 24525->24527 24526->24523 24526->24525 24527->24523 24529 410fcd 24527->24529 24528->24524 24553 40c0f4 VirtualQuery GetVersion GetModuleFileNameA GetModuleFileNameW GetVersion 24529->24553 24531 410fdb 24532 410ff0 24531->24532 24554 40c5a8 24531->24554 24532->24523 24535 4109b4 2 API calls 24534->24535 24536 410a4c 24535->24536 24536->24505 24537->24492 24539 40de8b 24538->24539 24541 40dfec 24539->24541 24542 40d6fc 24539->24542 24541->24510 24543 40d7a2 24542->24543 24547 40d710 24542->24547 24544 40d80e 24543->24544 24546 40d85e 24543->24546 24543->24547 24549 413288 24544->24549 24546->24547 24548 413288 2 API calls 24546->24548 24547->24541 24548->24547 24550 41329f 24549->24550 24551 4132e6 24550->24551 24552 4132cc GetCurrentProcess ReadProcessMemory 24550->24552 24551->24547 24552->24551 24553->24531 24555 4047f8 153 API calls 24554->24555 24556 40c5d6 24555->24556 24569 40c24c 24556->24569 24558 40c6a2 24561 40481c 153 API calls 24558->24561 24559 40c5dd 24568 40c66b 24559->24568 24572 40a418 24559->24572 24563 40c6bc 24561->24563 24562 40c684 24562->24558 24593 404b80 24562->24593 24563->24532 24568->24558 24592 40c744 153 API calls 24568->24592 24602 40c228 24569->24602 24605 40a0e4 24572->24605 24574 40a436 24622 409edc 24574->24622 24577 404b0c 24578 404b10 24577->24578 24579 404b71 24577->24579 24580 40484c 24578->24580 24582 404b18 24578->24582 24585 4048bc 153 API calls 24580->24585 24587 404860 24580->24587 24581 40488e 24581->24568 24582->24579 24583 404b27 24582->24583 24584 40484c 153 API calls 24582->24584 24586 4048bc 153 API calls 24583->24586 24584->24583 24585->24587 24589 404b41 24586->24589 24587->24581 24588 402830 153 API calls 24587->24588 24588->24581 24590 40484c 153 API calls 24589->24590 24591 404b6d 24590->24591 24591->24568 24592->24562 24594 404b91 24593->24594 24595 404bb1 24594->24595 24596 404bc5 24594->24596 24597 404e44 153 API calls 24595->24597 24598 4048bc 153 API calls 24596->24598 24600 404bbf 24597->24600 24598->24600 24599 404bf6 24600->24599 24601 40484c 153 API calls 24600->24601 24601->24599 24603 40c1cc IsBadHugeReadPtr 24602->24603 24604 40c235 24603->24604 24604->24559 24606 40a0f3 24605->24606 24607 40a1b1 24606->24607 24608 40a0fd 24606->24608 24609 40484c 153 API calls 24607->24609 24638 404e44 24608->24638 24621 40a1af 24609->24621 24611 40a11e 24613 40a16f 24611->24613 24647 404cc4 153 API calls 24611->24647 24616 40a17c 24613->24616 24648 404cc4 153 API calls 24613->24648 24616->24621 24649 404cc4 153 API calls 24616->24649 24617 40a18d 24650 404cc4 153 API calls 24617->24650 24619 40a195 24620 404e44 153 API calls 24619->24620 24620->24621 24621->24574 24623 409efe 24622->24623 24634 409f5c 24622->24634 24624 404e44 153 API calls 24623->24624 24626 409f08 24624->24626 24625 40481c 153 API calls 24627 409f90 24625->24627 24628 409f6c 24626->24628 24631 409f1b 24626->24631 24627->24577 24657 404ac8 24628->24657 24629 409f5e 24632 404b0c 153 API calls 24629->24632 24631->24629 24633 409f30 24631->24633 24632->24634 24652 409814 24633->24652 24634->24625 24637 404b80 153 API calls 24637->24634 24639 404e51 24638->24639 24646 404e81 24638->24646 24641 404e7a 24639->24641 24642 404e5d 24639->24642 24640 4047f8 153 API calls 24644 404e6b 24640->24644 24643 4048bc 153 API calls 24641->24643 24651 402850 153 API calls 24642->24651 24643->24646 24644->24611 24646->24640 24647->24611 24648->24616 24649->24617 24650->24619 24651->24644 24653 40484c 153 API calls 24652->24653 24654 40982e 24653->24654 24671 404d58 24654->24671 24658 404b0b 24657->24658 24659 404acc 24657->24659 24658->24634 24660 404ad6 24659->24660 24666 40484c 24659->24666 24661 404b00 24660->24661 24662 404ae9 24660->24662 24665 404e44 153 API calls 24661->24665 24664 404e44 153 API calls 24662->24664 24663 40488e 24663->24634 24670 404aee 24664->24670 24665->24670 24667 4048bc 153 API calls 24666->24667 24668 404860 24666->24668 24667->24668 24668->24663 24669 402830 153 API calls 24668->24669 24669->24663 24670->24634 24672 404d08 153 API calls 24671->24672 24674 404d66 24672->24674 24673 404d9c 24673->24637 24674->24673 24675 404e44 153 API calls 24674->24675 24675->24673 24677 40538d 24676->24677 24686 4053c2 24676->24686 24678 4053a2 24677->24678 24679 4053c7 24677->24679 24684 40540a 24678->24684 24685 4053ae 24678->24685 24678->24686 24680 4053d8 24679->24680 24681 4053ce 24679->24681 24683 40481c 153 API calls 24680->24683 24682 4047f8 153 API calls 24681->24682 24682->24686 24683->24686 24684->24686 24691 405384 153 API calls 24684->24691 24687 4053b2 24685->24687 24688 405428 24685->24688 24686->24481 24689 4053ba 24687->24689 24690 40543e 24687->24690 24688->24686 24692 405350 153 API calls 24688->24692 24689->24686 24694 4061b0 153 API calls 24689->24694 24690->24686 24693 40689c 9 API calls 24690->24693 24691->24684 24692->24688 24693->24690 24694->24689 24696 413288 2 API calls 24695->24696 24697 41de07 24696->24697 24697->24451 24699 41bd96 24698->24699 24701 41be1b 24698->24701 24699->24701 24771 40556c 24699->24771 24701->24461 24703 41ce32 24702->24703 24708 41cf35 VirtualQuery 24703->24708 24709 41cf63 24703->24709 24717 41ce79 24703->24717 24704 4047f8 153 API calls 24707 41d26c 24704->24707 24705 41cf9b 24706 411714 153 API calls 24705->24706 24718 41cfb3 24706->24718 24711 405350 153 API calls 24707->24711 24708->24709 24712 41cf46 24708->24712 24709->24705 24710 41cfb8 24709->24710 24780 41be64 153 API calls 24710->24780 24714 41d27a 24711->24714 24712->24709 24721 41cb28 154 API calls 24712->24721 24716 4047f8 153 API calls 24714->24716 24715 41cfe1 24781 41be64 153 API calls 24715->24781 24720 41d282 24716->24720 24717->24704 24718->24717 24722 41d075 GetVersion 24718->24722 24734 41d09c 24718->24734 24720->24471 24745 41d3c0 24720->24745 24721->24709 24724 41d081 GetModuleHandleA 24722->24724 24722->24734 24723 41cff7 24782 41be64 153 API calls 24723->24782 24785 40c358 24724->24785 24727 41d00d 24783 41be64 153 API calls 24727->24783 24730 41d023 24784 41be64 153 API calls 24730->24784 24732 41d03d 24735 411714 153 API calls 24732->24735 24733 40556c 153 API calls 24736 41d1c2 24733->24736 24734->24733 24735->24718 24737 41d1f4 24736->24737 24738 41d1d4 24736->24738 24740 40484c 153 API calls 24737->24740 24798 41cd80 153 API calls 24738->24798 24743 41d1f2 24740->24743 24741 41d1e1 24742 40484c 153 API calls 24741->24742 24742->24743 24743->24717 24744 41ce14 156 API calls 24743->24744 24744->24743 24746 41d54c 24745->24746 24750 41d3dc 24745->24750 24746->24471 24747 41ce14 159 API calls 24747->24750 24748 41d4ad 24748->24746 24749 410a50 2 API calls 24748->24749 24749->24748 24750->24746 24750->24747 24750->24748 24752 40c24c IsBadHugeReadPtr 24751->24752 24754 41deb7 24752->24754 24753 40c1cc IsBadHugeReadPtr 24755 41defd 24753->24755 24754->24753 24756 41ce14 159 API calls 24755->24756 24757 41df2e 24756->24757 24757->24467 24759 4109b4 2 API calls 24758->24759 24760 410a66 24759->24760 24760->24448 24762 41cb4a 24761->24762 24763 41cb6e GetModuleFileNameA 24761->24763 24762->24763 24770 41cb5f 24762->24770 24764 41cb86 24763->24764 24763->24770 24765 40c1cc IsBadHugeReadPtr 24764->24765 24766 41cb8d 24765->24766 24767 41cc55 24766->24767 24768 404d58 153 API calls 24766->24768 24766->24770 24800 41c45c 24767->24800 24768->24767 24770->24454 24776 405586 24771->24776 24772 40484c 153 API calls 24772->24776 24773 405672 24773->24701 24775 40556c 153 API calls 24775->24776 24776->24772 24776->24773 24776->24775 24778 405688 153 API calls 24776->24778 24779 4061ec 153 API calls 24776->24779 24778->24776 24779->24776 24780->24715 24781->24723 24782->24727 24783->24730 24784->24732 24786 40c37c 24785->24786 24788 40c1cc IsBadHugeReadPtr 24786->24788 24792 40c447 24786->24792 24787 4047f8 153 API calls 24789 40c542 24787->24789 24793 40c39b 24788->24793 24790 4047f8 153 API calls 24789->24790 24791 40c54a 24790->24791 24791->24734 24792->24787 24793->24792 24794 40c44f GetModuleFileNameA 24793->24794 24797 40c47e 24793->24797 24794->24797 24796 40c505 24796->24792 24799 40c254 155 API calls 24797->24799 24798->24741 24799->24796 24801 41c490 VirtualQuery 24800->24801 24802 41c48a 24800->24802 24803 41c4b6 24801->24803 24804 41c55b 24801->24804 24802->24801 24803->24804 24806 41c4d3 GetModuleFileNameA 24803->24806 24805 41ba64 151 API calls 24804->24805 24808 41c559 24805->24808 24806->24804 24807 41c4ef 24806->24807 24816 41c300 24807->24816 24809 40481c 151 API calls 24808->24809 24811 41c5b8 24809->24811 24811->24770 24812 41c510 24812->24808 24822 41ba64 24812->24822 24819 41c316 24816->24819 24817 4047f8 152 API calls 24818 41c411 24817->24818 24818->24812 24820 41c377 FileTimeToDosDateTime 24819->24820 24821 41c398 24819->24821 24820->24821 24821->24817 24823 41ba71 24822->24823 24825 40484c 153 API calls 24823->24825 24843 41bbb5 24823->24843 24824 4047f8 153 API calls 24826 41bc4f 24824->24826 24827 41bac8 24825->24827 24826->24808 24848 41c284 24826->24848 24828 41bbf7 24827->24828 24829 41bad9 24827->24829 24830 41b7b4 153 API calls 24828->24830 24831 40c1cc IsBadHugeReadPtr 24829->24831 24832 41bc06 24830->24832 24833 41bade 24831->24833 24836 41abc0 153 API calls 24832->24836 24832->24843 24834 41bbc8 24833->24834 24835 41bae8 24833->24835 24837 41b7b4 153 API calls 24834->24837 24839 40484c 153 API calls 24835->24839 24836->24843 24838 41bbd7 24837->24838 24841 41abc0 153 API calls 24838->24841 24838->24843 24840 41bb90 24839->24840 24852 419bd8 24840->24852 24841->24843 24843->24824 24849 41c29b 24848->24849 24850 41c2a7 FileTimeToDosDateTime 24849->24850 24851 41c2c5 24850->24851 24851->24808 24912 40c6e8 24852->24912 24856 419c1a 24857 4047f8 153 API calls 24856->24857 24858 419c3a 24857->24858 24858->24843 24859 41b7b4 24858->24859 24860 41b7e2 24859->24860 24861 41b7ef 24859->24861 24860->24861 24862 41b9d6 24860->24862 24997 404d18 153 API calls 24861->24997 24880 41b9a0 24862->24880 25002 41b488 153 API calls 24862->25002 24865 41b822 24868 41b89a 24865->24868 24872 41b833 24865->24872 24866 40481c 153 API calls 24867 41ba26 24866->24867 24869 4061b0 153 API calls 24867->24869 24870 404890 153 API calls 24868->24870 24871 41ba34 24869->24871 24874 41b898 24870->24874 24871->24843 24888 41abc0 24871->24888 24998 404d18 153 API calls 24872->24998 24874->24880 24999 41b610 153 API calls 24874->24999 24875 41b864 24876 404b0c 153 API calls 24875->24876 24878 41b874 24876->24878 24878->24874 24879 404890 153 API calls 24878->24879 24879->24874 24880->24866 24881 41b8cc 24881->24880 24882 40c1cc IsBadHugeReadPtr 24881->24882 24883 41b931 24882->24883 24884 41b9a5 24883->24884 24886 41b937 24883->24886 24884->24880 25001 41b488 153 API calls 24884->25001 24886->24880 25000 41b488 153 API calls 24886->25000 24889 404890 153 API calls 24888->24889 24890 41abec 24889->24890 24891 404d58 153 API calls 24890->24891 24892 41ac0f 24891->24892 24893 41ac43 24892->24893 24895 404b0c 153 API calls 24892->24895 24894 404b0c 153 API calls 24893->24894 24896 41ac53 24894->24896 24897 41ac23 24895->24897 25003 418734 24896->25003 24899 418734 153 API calls 24897->24899 24900 41ac2e 24899->24900 24900->24893 24903 41ac32 24900->24903 24901 41ac5e 24902 41ac6e 24901->24902 24904 419848 153 API calls 24901->24904 24906 404b0c 153 API calls 24902->24906 24907 41ac3e 24902->24907 25031 41a1b8 153 API calls 24903->25031 24904->24902 24908 41ac8f 24906->24908 24909 40481c 153 API calls 24907->24909 25009 41a818 24908->25009 24911 41acbe 24909->24911 24911->24843 24913 40c6fc FindResourceA 24912->24913 24914 4047f8 148 API calls 24912->24914 24915 40c70a LoadResource 24913->24915 24916 40c73d 24913->24916 24914->24913 24915->24916 24917 40c717 SizeofResource LockResource 24915->24917 24916->24856 24921 419848 24916->24921 24967 4048e8 24917->24967 24919 40c730 24920 40c737 FreeResource 24919->24920 24920->24916 24922 419850 24921->24922 24958 419941 24922->24958 24986 404d18 153 API calls 24922->24986 24923 419b5a 24927 40481c 153 API calls 24923->24927 24925 4199e1 24928 4047f8 153 API calls 24925->24928 24926 419978 24929 40c6e8 153 API calls 24926->24929 24930 419b74 24927->24930 24948 4199d6 24928->24948 24935 419994 24929->24935 24931 4047f8 153 API calls 24930->24931 24932 419b7c 24931->24932 24932->24856 24933 419a14 24992 404d18 153 API calls 24933->24992 24934 4199ff 24991 404d18 153 API calls 24934->24991 24935->24948 24990 404d18 153 API calls 24935->24990 24938 4198b0 24938->24958 24987 40a370 153 API calls 24938->24987 24941 419a12 24972 418638 153 API calls 24941->24972 24942 4199cb 24945 41abc0 153 API calls 24942->24945 24943 4198eb 24988 40a370 153 API calls 24943->24988 24945->24948 24947 419a37 24973 418004 153 API calls 24947->24973 24948->24923 24948->24933 24948->24934 24949 41990e 24989 40a370 153 API calls 24949->24989 24952 419a42 24974 4171bc 153 API calls 24952->24974 24953 419931 24955 404b80 153 API calls 24953->24955 24955->24958 24956 419a4d 24975 404890 24956->24975 24958->24923 24958->24925 24958->24926 24960 419a73 24979 418590 24960->24979 24962 419aa2 24993 418d70 153 API calls 24962->24993 24964 419ac2 24966 419ad3 24964->24966 24994 4193f4 153 API calls 24964->24994 24966->24856 24968 4048bc 153 API calls 24967->24968 24969 4048f8 24968->24969 24970 4047f8 153 API calls 24969->24970 24971 404910 24970->24971 24971->24919 24972->24947 24973->24952 24974->24956 24976 404894 24975->24976 24977 4048b8 24976->24977 24978 402830 153 API calls 24976->24978 24977->24923 24977->24960 24978->24977 24980 41859e 24979->24980 24981 4185cb 24980->24981 24982 4185bc 24980->24982 24984 4185c4 24980->24984 24981->24984 24996 407fa8 GlobalAlloc GlobalFix 24981->24996 24995 407fd4 GlobalHandle GlobalUnWire GlobalFree 24982->24995 24984->24962 24986->24938 24987->24943 24988->24949 24989->24953 24990->24942 24991->24941 24992->24941 24993->24964 24994->24966 24995->24984 24996->24984 24997->24865 24998->24875 24999->24881 25000->24880 25001->24880 25002->24880 25006 418749 25003->25006 25004 4047f8 153 API calls 25005 418822 25004->25005 25005->24901 25007 404e44 153 API calls 25006->25007 25008 4187b7 25006->25008 25007->25008 25008->24901 25008->25004 25022 41a834 25009->25022 25010 4047f8 153 API calls 25011 41ab76 25010->25011 25012 405350 153 API calls 25011->25012 25013 41ab84 25012->25013 25014 4047f8 153 API calls 25013->25014 25015 41ab8c 25014->25015 25016 4047f8 153 API calls 25015->25016 25017 41ab94 25016->25017 25017->24907 25018 41a9be 25027 41a9dc 25018->25027 25034 419d3c 153 API calls 25018->25034 25021 404d58 153 API calls 25021->25022 25022->25018 25022->25021 25024 41aafe 25022->25024 25032 41a7b4 153 API calls 25022->25032 25033 4188b8 153 API calls 25022->25033 25024->25010 25025 41a7b4 153 API calls 25025->25027 25027->25024 25027->25025 25028 404b80 153 API calls 25027->25028 25030 404d58 153 API calls 25027->25030 25035 41bc7c 153 API calls 25027->25035 25036 418ed0 153 API calls 25027->25036 25028->25027 25030->25027 25031->24907 25032->25022 25033->25022 25034->25027 25035->25027 25036->25027 25037->24393 25039 41ecee 25038->25039 25045 41ed6b 25038->25045 25040 41ce14 159 API calls 25039->25040 25042 41ed0b 25040->25042 25041 41eef3 25041->24403 25043 41ecb4 159 API calls 25042->25043 25042->25045 25043->25045 25044 41d3c0 159 API calls 25044->25045 25045->25041 25045->25044 25046->24403 25048 4069a0 25047->25048 25049 406997 25047->25049 25048->24428 25052 40689c 8 API calls 25049->25052 25053 4068e0 25049->25053 25058 437118 25049->25058 25052->25048 25054 40689c 25053->25054 25056 4068e8 25053->25056 25055 4068af 25054->25055 25057 406980 9 API calls 25054->25057 25055->25048 25056->25048 25057->25055 25059 437126 25058->25059 25060 4068e0 9 API calls 25059->25060 25062 43714e 25059->25062 25060->25062 25061 43716c 25064 437180 25061->25064 25070 42eec4 EnterCriticalSection 25061->25070 25062->25061 25063 4068e0 9 API calls 25062->25063 25063->25061 25066 40689c 9 API calls 25064->25066 25067 4371a1 25066->25067 25068 40689c 9 API calls 25067->25068 25069 4371a9 25068->25069 25069->25048 25071 42eeeb 25070->25071 25072 42ef08 25070->25072 25078 42edfc EnterCriticalSection LeaveCriticalSection 25071->25078 25073 42ef0a LeaveCriticalSection 25072->25073 25073->25064 25075 42eef3 25076 42ef00 LocalFree 25075->25076 25079 42ee68 LocalFree LocalFree LocalFree 25075->25079 25076->25073 25078->25075 25079->25076 25195 40e0d0 25196 40c5a8 153 API calls 25195->25196 25197 40e0e5 25196->25197 25225 401ad0 25226 401af6 25225->25226 25234 401b4f 25225->25234 25235 40189c 25226->25235 25230 401b13 25231 401750 VirtualFree 25230->25231 25232 401b2a 25230->25232 25231->25232 25232->25234 25240 4015e0 LocalAlloc 25232->25240 25238 4018d3 25235->25238 25236 401913 25239 401570 LocalAlloc 25236->25239 25237 4018ed VirtualFree 25237->25238 25238->25236 25238->25237 25239->25230 25240->25234 25241 44d4d0 25250 44d104 25241->25250 25243 44d50a CreateThread 25244 44d52f 25243->25244 25348 44cfa0 25243->25348 25245 44d552 25244->25245 25246 44d538 GetCurrentThreadId 25244->25246 25248 4047f8 153 API calls 25245->25248 25285 42bbb8 25246->25285 25249 44d567 25248->25249 25251 44d134 25250->25251 25252 411c84 153 API calls 25251->25252 25256 44d1c4 25251->25256 25252->25256 25253 4047f8 153 API calls 25254 44d1ea 25253->25254 25255 44d434 25254->25255 25257 413288 2 API calls 25254->25257 25258 402810 153 API calls 25255->25258 25256->25253 25259 44d209 25257->25259 25260 44d45d 25258->25260 25259->25255 25262 413288 2 API calls 25259->25262 25261 40481c 153 API calls 25260->25261 25263 44d494 25261->25263 25270 44d223 25262->25270 25264 405350 153 API calls 25263->25264 25265 44d4a2 25264->25265 25265->25243 25266 44d275 25266->25255 25267 413288 2 API calls 25266->25267 25269 44d292 25267->25269 25268 413288 GetCurrentProcess ReadProcessMemory 25268->25270 25269->25255 25271 413288 2 API calls 25269->25271 25270->25255 25270->25266 25270->25268 25272 44d2ac 25271->25272 25272->25255 25317 42b7ec InitializeSecurityDescriptor SetSecurityDescriptorDacl 25272->25317 25274 44d316 GetCurrentProcessId 25318 40a4a8 25274->25318 25277 404b0c 153 API calls 25278 44d344 25277->25278 25330 407228 CreateMutexA 25278->25330 25280 44d35b 25280->25255 25281 44d368 WaitForSingleObject 25280->25281 25282 44d3f8 ReleaseMutex 25281->25282 25283 44d399 VirtualAlloc VirtualProtect 25281->25283 25282->25243 25283->25282 25284 44d3e6 VirtualProtect 25283->25284 25284->25282 25286 42bbd1 25285->25286 25287 42bbf4 WaitForSingleObject 25286->25287 25288 42be2c 25286->25288 25294 42bc18 25287->25294 25289 4047f8 153 API calls 25288->25289 25290 42be41 25289->25290 25291 4047f8 153 API calls 25290->25291 25292 42be49 25291->25292 25292->25245 25293 42bcd5 25297 42bceb 25293->25297 25304 42bcfc GetCurrentProcess GetCurrentProcess DuplicateHandle 25293->25304 25306 42bdba 25293->25306 25294->25293 25295 42bc9f LocalSize 25294->25295 25296 42bc6b LocalSize 25294->25296 25298 42bcb2 LocalFree LocalSize 25295->25298 25299 42bcac 25295->25299 25296->25295 25312 42bc76 25296->25312 25305 42bd28 LocalAlloc 25297->25305 25297->25306 25302 42bcc6 LocalFree 25298->25302 25303 42bccf LocalFree 25298->25303 25299->25298 25300 42bdd5 LocalSize 25300->25306 25307 42bde0 WaitForSingleObject 25300->25307 25301 42be09 ReleaseMutex 25301->25245 25302->25303 25303->25293 25304->25297 25346 404ac0 25305->25346 25306->25300 25306->25301 25307->25306 25309 42bdef 25307->25309 25311 42bbb8 153 API calls 25309->25311 25314 42be00 25311->25314 25312->25295 25313 404ac0 25315 42bd57 LocalAlloc 25313->25315 25314->25301 25316 42bd6b 25315->25316 25316->25306 25317->25274 25331 40a280 25318->25331 25321 40a4df 25323 409edc 153 API calls 25321->25323 25322 40a510 25325 404b0c 153 API calls 25322->25325 25324 40a500 25323->25324 25327 404b0c 153 API calls 25324->25327 25326 40a51e 25325->25326 25329 409edc 153 API calls 25326->25329 25328 40a50e 25327->25328 25328->25277 25329->25328 25330->25280 25332 40a29f 25331->25332 25333 40a2e3 25332->25333 25334 40a2a5 25332->25334 25335 40484c 153 API calls 25333->25335 25344 40a1d4 153 API calls 25334->25344 25343 40a2e1 25335->25343 25337 40481c 153 API calls 25338 40a309 25337->25338 25338->25321 25338->25322 25339 40a2af 25339->25343 25345 40a1d4 153 API calls 25339->25345 25341 40a2d6 25342 404b0c 153 API calls 25341->25342 25342->25343 25343->25337 25344->25339 25345->25341 25347 404ac4 LocalAlloc 25346->25347 25347->25313 25349 402830 153 API calls 25348->25349 25350 44cfc7 25349->25350 25351 44d02b GetCurrentThreadId 25350->25351 25352 42bbb8 169 API calls 25351->25352 25353 44d04c 25352->25353 25540 40b8e8 25541 4061b0 153 API calls 25540->25541 25542 40b912 NtdllDefWindowProc_A 25541->25542 25543 40b935 25542->25543 25544 40b94b WaitForSingleObject 25543->25544 25545 40ba2f 25543->25545 25549 40b970 25544->25549 25546 4061b0 153 API calls 25545->25546 25547 40ba4a 25546->25547 25548 40b9a7 ReleaseMutex 25549->25548 25552 40609c 153 API calls 25549->25552 25551 40b9a1 25551->25548 25552->25551 26326 42cef0 26327 42cef8 26326->26327 26328 42cf3f GetModuleHandleA 26327->26328 26334 42cfab 26327->26334 26330 42cf4f GetModuleHandleA 26328->26330 26338 42cf5b 26328->26338 26329 42d439 26331 405350 153 API calls 26329->26331 26330->26338 26332 42d473 26331->26332 26333 405384 153 API calls 26332->26333 26335 42d489 26333->26335 26334->26329 26336 410a38 2 API calls 26334->26336 26341 42d00e 26336->26341 26337 42d024 26339 411c84 153 API calls 26337->26339 26344 42d307 26337->26344 26338->26334 26346 42d08e 26339->26346 26340 42d409 26340->26329 26365 446f74 26340->26365 26341->26337 26343 410a38 2 API calls 26341->26343 26343->26341 26344->26340 26345 410a38 2 API calls 26344->26345 26351 42d31d 26345->26351 26346->26344 26347 411c84 153 API calls 26346->26347 26349 42d0ae 26347->26349 26348 42d374 26348->26340 26353 410a38 2 API calls 26348->26353 26350 40556c 153 API calls 26349->26350 26358 42d0c2 26350->26358 26351->26348 26352 410a38 2 API calls 26351->26352 26352->26351 26355 42d3a1 26353->26355 26354 42d1f6 26354->26344 26356 411c84 153 API calls 26354->26356 26355->26340 26357 410a38 2 API calls 26355->26357 26362 42d20d 26356->26362 26357->26355 26358->26354 26360 410a38 GetCurrentProcess ReadProcessMemory 26358->26360 26361 446fc4 155 API calls 26358->26361 26359 411c84 153 API calls 26359->26362 26360->26358 26361->26358 26362->26344 26362->26359 26363 410a38 2 API calls 26362->26363 26364 446fc4 155 API calls 26362->26364 26363->26362 26364->26362 26366 446f7e 26365->26366 26369 446d24 26366->26369 26370 4047f8 153 API calls 26369->26370 26371 446d55 26370->26371 26372 4048e8 153 API calls 26371->26372 26373 446d6f 26372->26373 26374 4048e8 153 API calls 26373->26374 26376 446d7b 26374->26376 26375 40481c 153 API calls 26377 446e5e 26375->26377 26378 446dac VirtualProtect 26376->26378 26385 446e2c 26376->26385 26377->26329 26379 446dbd 26378->26379 26378->26385 26380 446dc8 VirtualProtect 26379->26380 26381 446de1 26380->26381 26382 40484c 153 API calls 26381->26382 26383 446e1b 26382->26383 26384 40484c 153 API calls 26383->26384 26384->26385 26385->26375 26414 68f8df 26415 68a7e1 29 API calls 26414->26415 26416 68f8fb 26415->26416 26417 68f8ff ReadFile 26416->26417 26418 68f917 26416->26418 26417->26418 26501 4372f8 26502 437048 153 API calls 26501->26502 26503 437321 26502->26503 26505 4371e4 153 API calls 26503->26505 26506 43736c 26503->26506 26504 40689c 9 API calls 26507 4373af 26504->26507 26505->26506 26506->26504 25198 68f8b8 25199 68f8c8 25198->25199 25200 68f8d8 25199->25200 25201 68f8cc FindCloseChangeNotification 25199->25201 25201->25200 25412 432098 25413 4320a2 25412->25413 25414 432195 25412->25414 25428 42ac1c 25413->25428 25415 4321a9 25414->25415 25416 43219e SetEvent 25414->25416 25418 4321b2 SetEvent 25415->25418 25419 4321bd PostMessageA 25415->25419 25416->25415 25418->25419 25420 4061b0 153 API calls 25419->25420 25421 4321ed 25420->25421 25422 4320c5 GetCurrentThreadId 25423 4320aa 25422->25423 25423->25419 25423->25422 25424 432193 25423->25424 25425 432114 EnterCriticalSection 25423->25425 25424->25419 25426 432137 25425->25426 25427 432152 LeaveCriticalSection 25426->25427 25429 42ac24 25428->25429 25429->25429 25430 4061b0 153 API calls 25429->25430 25431 42ac4c 25430->25431 25457 40b254 25431->25457 25434 42ad3e GetModuleHandleA 25436 4073d8 25434->25436 25435 42ac5e GetModuleHandleA 25437 4073d8 25435->25437 25438 42ad53 NtQuerySystemInformation 25436->25438 25439 42ac73 GetModuleHandleA 25437->25439 25440 42adc2 LocalAlloc NtQuerySystemInformation 25438->25440 25441 42ad7f 25438->25441 25442 4073d8 25439->25442 25454 42ade6 25440->25454 25443 42ad86 LocalFree LocalAlloc 25441->25443 25448 42adc0 25441->25448 25441->25454 25444 42ac8a GetModuleHandleA 25442->25444 25443->25441 25446 42aca2 25444->25446 25445 42ae7d LocalFree 25445->25423 25449 42acb7 25446->25449 25450 42ae9b 25446->25450 25447 42adf1 GetCurrentProcessId 25447->25454 25448->25454 25455 42ad20 25449->25455 25456 42acdb GetCurrentProcessId 25449->25456 25452 405384 153 API calls 25450->25452 25451 40b254 156 API calls 25451->25454 25453 42aebb 25452->25453 25453->25423 25454->25445 25454->25447 25454->25451 25455->25423 25456->25449 25458 40b2b0 25457->25458 25459 40b2ba GetVersion 25457->25459 25458->25459 25460 40b4f1 25458->25460 25461 40b327 25459->25461 25462 40b2cd 25459->25462 25463 40556c 153 API calls 25460->25463 25465 40b337 GetVersionExA 25461->25465 25466 40b2dd GetVersionExW 25462->25466 25464 40b501 25463->25464 25467 405350 153 API calls 25464->25467 25472 40b309 25465->25472 25466->25472 25468 40b51f 25467->25468 25468->25434 25468->25435 25469 40b3b3 25470 40b254 153 API calls 25469->25470 25471 40b4ca 25470->25471 25471->25460 25473 404b80 153 API calls 25471->25473 25472->25469 25475 404cc4 153 API calls 25472->25475 25473->25460 25475->25469 25126 40274c 25127 402760 25126->25127 25128 402773 25126->25128 25155 401b5c InitializeCriticalSection EnterCriticalSection LocalAlloc LeaveCriticalSection 25127->25155 25130 402794 25128->25130 25131 40278a EnterCriticalSection 25128->25131 25142 40257c 12 API calls 25130->25142 25131->25130 25132 402765 25132->25128 25135 402769 25132->25135 25134 40279d 25136 4027a1 25134->25136 25143 402248 25134->25143 25137 4027fc 25135->25137 25136->25137 25139 4027f2 LeaveCriticalSection 25136->25139 25139->25137 25140 4027ad 25140->25136 25156 4023d8 6 API calls 25140->25156 25142->25134 25144 402265 25143->25144 25145 40225c 25143->25145 25147 40226d 25144->25147 25149 402298 25144->25149 25150 40228e EnterCriticalSection 25144->25150 25161 401b5c InitializeCriticalSection EnterCriticalSection LocalAlloc LeaveCriticalSection 25145->25161 25147->25140 25148 402261 25148->25144 25148->25147 25149->25147 25157 402154 25149->25157 25150->25149 25152 4023a0 25153 4023c3 25152->25153 25154 4023b9 LeaveCriticalSection 25152->25154 25153->25140 25154->25153 25155->25132 25156->25136 25159 402164 25157->25159 25160 402190 25159->25160 25162 4020c8 25159->25162 25160->25152 25161->25148 25167 40191c 25162->25167 25164 4020d8 25165 4020e5 25164->25165 25176 40203c LocalAlloc 25164->25176 25165->25159 25168 401938 25167->25168 25170 401942 25168->25170 25172 40194e 25168->25172 25174 401993 25168->25174 25181 401674 25168->25181 25189 401570 LocalAlloc 25168->25189 25177 401808 25170->25177 25172->25164 25190 401750 25174->25190 25176->25165 25178 40184e 25177->25178 25179 40186a VirtualAlloc 25178->25179 25180 40187e 25178->25180 25179->25178 25179->25180 25180->25172 25182 401683 VirtualAlloc 25181->25182 25184 4016b0 25182->25184 25185 4016d3 25182->25185 25194 401528 LocalAlloc 25184->25194 25185->25168 25187 4016bc 25187->25185 25188 4016c0 VirtualFree 25187->25188 25188->25185 25189->25168 25193 40177f 25190->25193 25191 4017d8 25191->25172 25192 4017ac VirtualFree 25192->25193 25193->25191 25193->25192 25194->25187 25567 445b6c GetCurrentThreadId 25568 445ba9 25567->25568 25584 445b9c 25567->25584 25569 445bb2 GetCurrentThreadId 25568->25569 25571 445bce 25568->25571 25569->25571 25569->25584 25570 445be9 VirtualFree 25570->25571 25571->25570 25572 445c0e 25571->25572 25603 42d6fc 25572->25603 25576 445c38 25578 445c6e 25576->25578 25581 445c3c 25576->25581 25577 445cc1 GetCurrentThreadId 25625 42c174 25577->25625 25578->25577 25581->25584 25585 445c5c 25581->25585 25582 445d23 CreateEventA 25583 445d1c 25582->25583 25631 4325b8 25583->25631 25641 43e2f8 GetCurrentProcess TerminateProcess 25585->25641 25588 445d3a 25589 445de2 25588->25589 25590 445d52 WriteFile 25588->25590 25642 445514 25589->25642 25592 445d6d 25590->25592 25593 445dca 25590->25593 25592->25593 25594 445d73 GetCurrentThreadId 25592->25594 25595 4325b8 5 API calls 25593->25595 25596 445d82 25594->25596 25597 445dcc WaitForSingleObject 25594->25597 25598 445dfe 25595->25598 25599 445db8 WaitForSingleObject 25596->25599 25597->25593 25599->25593 25600 445d84 GetMessageA 25599->25600 25601 445dad PostQuitMessage 25600->25601 25602 445d99 TranslateMessage DispatchMessageA 25600->25602 25601->25593 25602->25599 25604 42d71c 25603->25604 25607 42d7ca 25604->25607 25723 42c260 153 API calls 25604->25723 25613 42d7f3 25607->25613 25724 42d518 153 API calls 25607->25724 25608 42d852 25611 41c45c 153 API calls 25608->25611 25617 42d8bb 25608->25617 25609 405350 153 API calls 25612 42d8fd 25609->25612 25614 42d872 25611->25614 25615 405350 153 API calls 25612->25615 25613->25608 25613->25617 25725 42c800 153 API calls 25613->25725 25614->25617 25618 41bd80 153 API calls 25614->25618 25616 42d90b 25615->25616 25616->25578 25640 42c800 153 API calls 25616->25640 25617->25609 25619 42d889 25618->25619 25619->25617 25620 411c84 153 API calls 25619->25620 25621 42d89a 25620->25621 25726 42d61c GetCurrentProcess ReadProcessMemory 25621->25726 25623 42d8a7 25623->25617 25727 42d61c GetCurrentProcess ReadProcessMemory 25623->25727 25626 42c178 GetVersion 25625->25626 25627 42c1b2 GetCurrentProcessId 25626->25627 25630 42c184 25626->25630 25627->25630 25628 42c1dd 25628->25582 25628->25583 25629 42c1d1 Sleep 25629->25626 25630->25628 25630->25629 25632 4325c4 GetCurrentThreadId 25631->25632 25637 43262b 25631->25637 25633 4325d1 25632->25633 25632->25637 25634 4325d5 InterlockedIncrement 25633->25634 25635 4325fe InterlockedDecrement 25633->25635 25636 4325ea CreateEventA 25634->25636 25634->25637 25635->25637 25638 43260c 25635->25638 25636->25637 25637->25588 25638->25637 25639 432615 SetEvent 25638->25639 25639->25637 25640->25576 25641->25584 25643 44551c 25642->25643 25643->25643 25644 4061b0 151 API calls 25643->25644 25645 445544 25644->25645 25646 4061b0 151 API calls 25645->25646 25647 445552 25646->25647 25728 42b3dc 25647->25728 25654 4068e0 9 API calls 25655 4455bb 25654->25655 25656 4455e4 25655->25656 25657 4455cb 25655->25657 25849 42b7a8 GetSystemTime SystemTimeToFileTime 25656->25849 25803 431a6c 25657->25803 25659 4455e2 25662 445626 25659->25662 25663 431a6c 151 API calls 25659->25663 25661 445601 25661->25659 25664 4068e0 9 API calls 25662->25664 25663->25662 25666 445636 25664->25666 25665 445947 25665->25593 25667 4047f8 151 API calls 25665->25667 25666->25665 25673 445665 GetModuleHandleA 25666->25673 25683 44569e 25666->25683 25668 445978 25667->25668 25670 40689c 9 API calls 25668->25670 25669 445701 25672 4068e0 9 API calls 25669->25672 25671 445980 25670->25671 25674 4047f8 151 API calls 25671->25674 25675 445711 25672->25675 25676 445674 25673->25676 25677 445988 25674->25677 25682 431a6c 151 API calls 25675->25682 25705 445734 25675->25705 25678 4068e0 9 API calls 25676->25678 25676->25683 25679 40689c 9 API calls 25677->25679 25680 44568d 25678->25680 25681 445990 25679->25681 25680->25683 25684 405384 151 API calls 25681->25684 25682->25705 25683->25669 25685 431a6c 151 API calls 25683->25685 25686 4459a3 25684->25686 25685->25669 25687 40689c 9 API calls 25686->25687 25688 4459ab 25687->25688 25689 40689c 9 API calls 25688->25689 25690 4459b3 25689->25690 25691 405384 151 API calls 25690->25691 25693 4459c6 25691->25693 25693->25593 25694 4458f7 25694->25665 25697 445926 GetModuleHandleA 25694->25697 25695 4457c1 25698 4458e7 25695->25698 25850 42c478 GetSystemTime SystemTimeToFileTime 25695->25850 25696 44586f 25700 431a6c 151 API calls 25696->25700 25699 445935 25697->25699 25698->25694 25790 445418 25698->25790 25699->25665 25702 445886 25700->25702 25706 445418 151 API calls 25702->25706 25703 445897 25853 42c478 GetSystemTime SystemTimeToFileTime 25703->25853 25704 44584b 25704->25696 25704->25703 25851 42c478 GetSystemTime SystemTimeToFileTime 25704->25851 25705->25694 25705->25695 25709 40484c 151 API calls 25705->25709 25707 445890 25706->25707 25852 43e2f8 GetCurrentProcess TerminateProcess 25707->25852 25709->25695 25710 445895 25710->25698 25713 4458a4 25715 4458d0 25713->25715 25716 4458a8 25713->25716 25714 44586b 25714->25696 25714->25703 25718 431a6c 151 API calls 25715->25718 25717 431a6c 151 API calls 25716->25717 25719 4458bf 25717->25719 25718->25698 25720 445418 151 API calls 25719->25720 25721 4458c9 25720->25721 25854 43e1ac 153 API calls 25721->25854 25723->25607 25724->25613 25725->25608 25726->25623 25727->25617 25855 42b298 GetTempPathA 25728->25855 25730 42b4c6 25731 40481c 151 API calls 25730->25731 25733 42b4e3 25731->25733 25732 42b413 25732->25730 25736 404b0c 151 API calls 25732->25736 25734 4047f8 151 API calls 25733->25734 25735 42b4eb 25734->25735 25742 4373bc 25735->25742 25741 42b44e 25736->25741 25737 42b4b2 25738 42b4c0 RemoveDirectoryA 25737->25738 25738->25730 25739 404b0c 151 API calls 25739->25741 25740 42b49b DeleteFileA 25740->25741 25741->25737 25741->25739 25741->25740 25743 40689c 9 API calls 25742->25743 25744 4373e2 VirtualQuery 25743->25744 25746 4373f3 25744->25746 25747 43742a 25744->25747 25746->25747 25907 42e204 FindResourceA 25746->25907 25749 437463 25747->25749 25894 4371e4 25747->25894 25750 4374a9 25749->25750 25751 437048 152 API calls 25749->25751 25752 40689c 9 API calls 25750->25752 25751->25750 25754 4374ce 25752->25754 25753 437415 25753->25747 25908 437048 25753->25908 25756 44b7d0 25754->25756 25757 44b80d 25756->25757 25758 44b82e 25757->25758 26061 4374fc 153 API calls 25757->26061 26035 44b4b8 25758->26035 25761 44b844 25762 40484c 152 API calls 25761->25762 25763 44b886 25762->25763 25764 42d6fc 152 API calls 25763->25764 25765 44b898 25764->25765 25766 44b8c4 GetCurrentThreadId 25765->25766 25767 44b8bf 25765->25767 25766->25767 26040 434030 25767->26040 25771 44b955 25773 44b975 25771->25773 26062 4347cc 153 API calls 25771->26062 26049 44b710 25773->26049 25776 40481c 152 API calls 25777 44bb11 25776->25777 25778 40481c 152 API calls 25777->25778 25779 44bb1e 25778->25779 25780 4047f8 152 API calls 25779->25780 25781 44bb26 25780->25781 25782 40689c 9 API calls 25781->25782 25783 44bb2e 25782->25783 25784 4047f8 152 API calls 25783->25784 25785 44bb36 25784->25785 25786 40689c 9 API calls 25785->25786 25787 44bb3e 25786->25787 25788 40689c 9 API calls 25787->25788 25789 4455ab 25788->25789 25789->25654 25791 4068e0 9 API calls 25790->25791 25792 445444 25791->25792 26177 44519c 25792->26177 25795 4047f8 152 API calls 25797 4454e0 25795->25797 25796 4068e0 9 API calls 25800 445490 25796->25800 25798 405384 152 API calls 25797->25798 25799 4454f3 25798->25799 25799->25694 25801 4454a7 WaitForSingleObject 25800->25801 25802 4454b7 25800->25802 25801->25802 25802->25795 25804 431a99 25803->25804 25805 4068e0 9 API calls 25804->25805 25812 431ad4 25804->25812 25805->25812 25806 40689c 9 API calls 25807 431df4 25806->25807 25808 4047f8 148 API calls 25807->25808 25809 431dfc 25808->25809 25810 40689c 9 API calls 25809->25810 25814 431e04 25810->25814 25811 431cb3 25813 431cf8 25811->25813 25815 4047f8 148 API calls 25811->25815 25845 431dd4 25811->25845 25812->25811 26289 431910 153 API calls 25812->26289 25824 431d65 25813->25824 25825 431d59 GetWindowLongA 25813->25825 25813->25845 25816 405350 148 API calls 25814->25816 25815->25813 25817 431e12 25816->25817 25819 40689c 9 API calls 25817->25819 25821 431e1a 25819->25821 25820 431bc9 25833 431c01 25820->25833 26290 431910 153 API calls 25820->26290 25823 4047f8 148 API calls 25821->25823 25827 431e22 25823->25827 25829 431d86 25824->25829 25830 431d74 SetWindowPos 25824->25830 25825->25824 25826 431be5 25826->25833 26291 431910 153 API calls 25826->26291 25828 40689c 9 API calls 25827->25828 25832 431e2a 25828->25832 25835 431dae 25829->25835 25836 431d9c SetWindowPos 25829->25836 25830->25829 25832->25659 25833->25811 25834 431c32 SendMessageTimeoutA 25833->25834 26292 4322dc WaitForSingleObject SetEvent 25833->26292 25841 431c65 25834->25841 25842 431c94 25834->25842 25837 431dbf 25835->25837 26294 431618 153 API calls 25835->26294 25836->25835 25844 4068e0 9 API calls 25837->25844 25841->25842 25843 431c6e SendMessageTimeoutA 25841->25843 25842->25811 25846 431cac 25842->25846 25843->25842 25844->25845 25845->25806 26293 432314 ResetEvent PostMessageA 25846->26293 25848 431cb1 25848->25811 25849->25661 25850->25704 25851->25714 25852->25710 25853->25713 25854->25710 25856 42b38a 25855->25856 25857 42b2df 25855->25857 25858 4047f8 150 API calls 25856->25858 25861 42b303 CreateDirectoryA 25857->25861 25875 42b388 25857->25875 25858->25875 25859 40481c 150 API calls 25860 42b3ae 25859->25860 25860->25732 25862 42b310 25861->25862 25863 42b325 25862->25863 25864 404ac8 150 API calls 25862->25864 25876 42b0f4 GetModuleFileNameA 25863->25876 25864->25863 25866 42b334 25878 42b124 25866->25878 25871 404b80 150 API calls 25872 42b36d 25871->25872 25873 42b376 CreateDirectoryA 25872->25873 25874 404ac8 150 API calls 25873->25874 25874->25875 25875->25859 25877 42b11b 25876->25877 25877->25866 25879 42b137 25878->25879 25880 40484c 153 API calls 25879->25880 25881 42b14f 25880->25881 25883 404d58 153 API calls 25881->25883 25885 42b174 25881->25885 25882 4047f8 153 API calls 25884 42b190 25882->25884 25883->25885 25886 42b21c 25884->25886 25885->25882 25887 42b22f 25886->25887 25888 40484c 153 API calls 25887->25888 25889 42b247 25888->25889 25890 42b26c 25889->25890 25892 404d58 153 API calls 25889->25892 25891 4047f8 153 API calls 25890->25891 25893 42b288 25891->25893 25892->25890 25893->25871 25895 40689c 9 API calls 25894->25895 25896 437209 25895->25896 25914 42e204 FindResourceA 25896->25914 25898 437213 25899 437048 152 API calls 25898->25899 25904 43722b 25898->25904 25899->25904 25900 4372be VirtualQuery 25901 4372d3 25900->25901 25900->25904 25902 40689c 9 API calls 25901->25902 25903 4372e8 25902->25903 25903->25749 25904->25900 25904->25901 25906 437048 152 API calls 25904->25906 25915 42e204 FindResourceA 25904->25915 25906->25904 25907->25753 25909 437055 25908->25909 25910 4370a6 25909->25910 25916 42eb98 25909->25916 25910->25747 25912 43707c 25912->25910 25958 43694c 153 API calls 25912->25958 25914->25898 25915->25904 25917 42eba0 25916->25917 25917->25917 25959 42e204 FindResourceA 25917->25959 25919 42ebc6 25920 42ed4e 25919->25920 25960 42e7fc 25919->25960 25921 40481c 150 API calls 25920->25921 25923 42ed68 25921->25923 25923->25912 25925 42ebdb EnterCriticalSection 25926 42ec01 25925->25926 25927 42ed22 LeaveCriticalSection 25926->25927 25928 42ec1a LocalAlloc 25926->25928 25927->25912 25983 42e308 25928->25983 25930 42ec37 26005 42ea84 153 API calls 25930->26005 25932 42ec4d 25933 42ecb0 25932->25933 26006 42ea84 153 API calls 25932->26006 26011 42ea84 153 API calls 25933->26011 25936 42ecbf 25936->25927 26012 42ea84 153 API calls 25936->26012 25937 42ec66 26007 42ea84 153 API calls 25937->26007 25940 42ec79 26008 418334 153 API calls 25940->26008 25941 42ecd8 26013 42ea84 153 API calls 25941->26013 25944 42ec88 26009 43c5bc 153 API calls 25944->26009 25945 42eceb 26014 418334 153 API calls 25945->26014 25948 42ec92 25950 404890 150 API calls 25948->25950 25949 42ecfa 26015 43c5bc 153 API calls 25949->26015 25951 42ec9d 25950->25951 26010 42eb04 153 API calls 25951->26010 25954 42ed04 25955 404890 150 API calls 25954->25955 25956 42ed0f 25955->25956 26016 42eb04 153 API calls 25956->26016 25958->25910 25959->25919 26017 42e734 25960->26017 25965 42e852 GetCurrentProcessId 25967 40a4a8 147 API calls 25965->25967 25966 42e96f 25966->25920 25966->25925 25968 42e867 25967->25968 25969 404b0c 147 API calls 25968->25969 25970 42e877 25969->25970 25971 42e8d0 GetLastError 25970->25971 25972 42e897 GetCurrentProcessId 25970->25972 25974 42e908 25971->25974 25975 42e8d9 25971->25975 25973 40a4a8 147 API calls 25972->25973 25977 42e8ac 25973->25977 25976 42e927 MessageBoxA 25974->25976 25981 42e90c 25974->25981 25978 42e8ea InitializeCriticalSection 25975->25978 25976->25981 25979 404b0c 147 API calls 25977->25979 25978->25981 25980 42e8bc 25979->25980 25982 42e8c4 OpenFileMappingA 25980->25982 26029 42e7e8 ReleaseMutex 25981->26029 25982->25971 26033 406298 27 API calls 25983->26033 25985 42e34b 26034 42e204 FindResourceA 25985->26034 25987 42e354 25988 42e604 25987->25988 25989 42e35e LoadResource 25987->25989 25991 40481c 148 API calls 25988->25991 25989->25988 25990 42e36f LockResource 25989->25990 25992 42e393 25990->25992 25993 42e61e 25991->25993 25994 42e5f7 25992->25994 25995 42e39b LocalAlloc 25992->25995 25993->25930 25996 42e5fe FreeResource 25994->25996 26004 42e3b7 25995->26004 25996->25988 25997 42e5a6 25998 40a4a8 148 API calls 25997->25998 25999 42e5c7 25998->25999 26001 404b80 148 API calls 25999->26001 26000 42e25c LocalAlloc LocalAlloc LocalFree LocalAlloc 26000->26004 26002 42e5dc 26001->26002 26003 42e5e4 MessageBoxA 26002->26003 26003->25994 26004->25994 26004->25997 26004->26000 26005->25932 26006->25937 26007->25940 26008->25944 26009->25948 26010->25933 26011->25936 26012->25941 26013->25945 26014->25949 26015->25954 26016->25927 26031 42b7ec InitializeSecurityDescriptor SetSecurityDescriptorDacl 26017->26031 26019 42e75c GetCurrentProcessId 26020 40a4a8 151 API calls 26019->26020 26021 42e771 26020->26021 26022 404b0c 151 API calls 26021->26022 26023 42e781 26022->26023 26032 407228 CreateMutexA 26023->26032 26025 42e795 WaitForSingleObject 26026 40481c 151 API calls 26025->26026 26027 42e7b9 26026->26027 26027->25981 26028 42b7ec InitializeSecurityDescriptor SetSecurityDescriptorDacl 26027->26028 26028->25965 26030 42e7f7 26029->26030 26030->25966 26031->26019 26032->26025 26033->25985 26034->25987 26036 44b4bf 26035->26036 26037 437048 152 API calls 26036->26037 26038 44b4da InitializeCriticalSection 26037->26038 26039 44b50f 26038->26039 26039->25761 26063 436838 26040->26063 26043 4091f0 26044 409207 26043->26044 26157 40855c 26044->26157 26046 409231 26047 40481c 153 API calls 26046->26047 26048 40925c 26047->26048 26048->25771 26050 44b73d 26049->26050 26054 44b720 26049->26054 26051 44b75f 26050->26051 26171 433ac4 153 API calls 26050->26171 26056 44b783 26051->26056 26172 43322c 153 API calls 26051->26172 26054->26050 26170 44b66c 153 API calls 26054->26170 26167 4347a4 26056->26167 26059 40484c 153 API calls 26060 44b7c8 26059->26060 26060->25776 26061->25758 26062->25773 26064 436856 26063->26064 26065 4368b2 26064->26065 26066 4368a8 26064->26066 26069 436897 26064->26069 26068 4068e0 9 API calls 26065->26068 26067 4047f8 153 API calls 26066->26067 26067->26069 26068->26069 26076 42c4e4 26069->26076 26072 40689c 9 API calls 26073 4368fd 26072->26073 26074 4047f8 153 API calls 26073->26074 26075 434044 26074->26075 26075->26043 26077 42c4ed 26076->26077 26078 42b0f4 GetModuleFileNameA 26077->26078 26079 42c52a 26078->26079 26080 42b124 152 API calls 26079->26080 26081 42c535 26080->26081 26130 4097a4 26081->26130 26084 42b0f4 GetModuleFileNameA 26085 42c550 26084->26085 26086 42b124 152 API calls 26085->26086 26087 42c55b 26086->26087 26088 4097a4 152 API calls 26087->26088 26089 42c56a 26088->26089 26090 42c57d 26089->26090 26091 404890 152 API calls 26089->26091 26092 4097a4 152 API calls 26090->26092 26091->26090 26093 42c58e 26092->26093 26094 4097a4 152 API calls 26093->26094 26095 42c59f 26094->26095 26096 4097a4 152 API calls 26095->26096 26097 42c5b2 GetLocalTime 26096->26097 26098 40a418 152 API calls 26097->26098 26099 42c5cf 26098->26099 26100 40a418 152 API calls 26099->26100 26101 42c5eb 26100->26101 26102 40a418 152 API calls 26101->26102 26103 42c607 26102->26103 26104 404b80 152 API calls 26103->26104 26105 42c617 26104->26105 26106 40a418 152 API calls 26105->26106 26107 42c62b 26106->26107 26108 40a418 152 API calls 26107->26108 26109 42c647 26108->26109 26110 40a418 152 API calls 26109->26110 26111 42c663 26110->26111 26112 40a418 152 API calls 26111->26112 26113 42c67f 26112->26113 26114 404b80 152 API calls 26113->26114 26115 42c694 26114->26115 26116 404b80 152 API calls 26115->26116 26117 42c6ac 26116->26117 26118 4097a4 152 API calls 26117->26118 26119 42c6bd 26118->26119 26120 4097a4 152 API calls 26119->26120 26121 42c6ce 26120->26121 26122 4097a4 152 API calls 26121->26122 26123 42c6df 26122->26123 26124 40481c 152 API calls 26123->26124 26125 42c6f9 26124->26125 26126 40481c 152 API calls 26125->26126 26127 42c706 26126->26127 26128 4047f8 152 API calls 26127->26128 26129 42c70e 26128->26129 26129->26072 26131 4097bb 26130->26131 26136 409460 26131->26136 26134 40481c 153 API calls 26135 409800 26134->26135 26135->26084 26137 409479 26136->26137 26138 4094b8 26137->26138 26150 40960d 26137->26150 26151 404d08 26138->26151 26140 409586 26141 40481c 153 API calls 26140->26141 26142 40971f 26141->26142 26142->26134 26143 4094bf 26143->26140 26145 409525 26143->26145 26148 40958b 26143->26148 26144 404e44 153 API calls 26144->26150 26147 404e44 153 API calls 26145->26147 26146 404d10 153 API calls 26146->26150 26147->26140 26149 404e44 153 API calls 26148->26149 26149->26140 26150->26140 26150->26144 26150->26146 26152 404cc4 26151->26152 26153 404cff 26152->26153 26154 4048bc 153 API calls 26152->26154 26153->26143 26155 404cdb 26154->26155 26155->26153 26156 402830 153 API calls 26155->26156 26156->26153 26158 408566 26157->26158 26159 40484c 153 API calls 26158->26159 26160 4085a7 26159->26160 26161 40484c 153 API calls 26160->26161 26162 4085b8 26161->26162 26163 4047f8 153 API calls 26162->26163 26164 4085cd 26163->26164 26165 4047f8 153 API calls 26164->26165 26166 4085d5 26165->26166 26166->26046 26173 43699c 26167->26173 26170->26054 26171->26051 26172->26056 26175 4369b3 26173->26175 26174 4047f8 153 API calls 26176 4347b0 26174->26176 26175->26174 26176->26059 26183 4451c0 26177->26183 26178 44523f 26179 4047f8 153 API calls 26178->26179 26180 445254 26179->26180 26182 405384 153 API calls 26180->26182 26181 4451e2 26181->26178 26185 4068e0 9 API calls 26181->26185 26184 445267 26182->26184 26183->26178 26183->26181 26186 4068e0 9 API calls 26183->26186 26184->25796 26184->25802 26187 4451fd 26185->26187 26186->26181 26187->26178 26188 431a6c 153 API calls 26187->26188 26189 44521d 26188->26189 26189->26178 26191 43cb40 26189->26191 26192 43cb82 26191->26192 26193 43ccc1 26192->26193 26194 43cbac 26192->26194 26196 404890 150 API calls 26193->26196 26274 43c64c 153 API calls 26194->26274 26239 43cc30 26196->26239 26198 43cbb7 26199 42b0f4 GetModuleFileNameA 26198->26199 26198->26239 26200 43cbe7 26199->26200 26275 42b1a0 26200->26275 26203 40481c 150 API calls 26206 43d196 26203->26206 26210 40689c 9 API calls 26206->26210 26214 43d19e 26210->26214 26233 43d15b 26233->26203 26239->26233 26259 43c740 26239->26259 26260 43c757 26259->26260 26261 42b1a0 152 API calls 26260->26261 26262 43c770 26261->26262 26274->26198 26276 42b1b3 26275->26276 26277 40484c 153 API calls 26276->26277 26289->25820 26290->25826 26291->25833 26292->25834 26293->25848 26294->25837 25080 42b504 GetComputerNameA 25081 42b52f 25080->25081 26300 40bd30 26307 40ba70 26300->26307 26302 40bd4b 26303 40bd55 WaitForSingleObject 26302->26303 26306 40be35 26302->26306 26305 40bd80 26303->26305 26304 40bea1 ReleaseMutex 26305->26304 26305->26306 26308 40baa4 GetCurrentThreadId 26307->26308 26309 40baac 26307->26309 26308->26309 26310 40a4a8 153 API calls 26309->26310 26311 40bac1 GetCurrentThreadId 26310->26311 26312 40a4a8 153 API calls 26311->26312 26313 40bada 26312->26313 26314 404b0c 153 API calls 26313->26314 26315 40bae6 26314->26315 26316 40bb38 WaitForSingleObject 26315->26316 26317 40baef 26315->26317 26320 40bb28 26316->26320 26318 404b0c 153 API calls 26317->26318 26319 40baff 26318->26319 26325 407228 CreateMutexA 26319->26325 26321 40bb87 ReleaseMutex 26320->26321 26321->26302 26323 40bb11 26323->26320 26324 40bb17 WaitForSingleObject 26323->26324 26324->26320 26325->26323 26409 68f91e 26410 689ce6 8 API calls 26409->26410 26411 68f934 26410->26411 26412 68f938 SetFilePointer 26411->26412 26413 68f94f 26411->26413 26412->26413 26485 42b538 26486 42b554 26485->26486 26487 4047f8 153 API calls 26486->26487 26488 42b571 26487->26488 26489 42b584 RegOpenKeyExA 26488->26489 26490 42b593 26489->26490 26491 42b616 26489->26491 26494 42b5aa RegQueryValueExA 26490->26494 26492 40481c 153 API calls 26491->26492 26493 42b630 26492->26493 26495 42b5bc LocalAlloc RegQueryValueExA 26494->26495 26496 42b60d RegCloseKey 26494->26496 26497 42b607 LocalFree 26495->26497 26499 42b5ea 26495->26499 26496->26491 26497->26496 26498 42b5f0 26498->26497 26499->26498 26500 4048e8 153 API calls 26499->26500 26500->26497 25082 42cbc8 25083 42cbf4 25082->25083 25090 420e98 25083->25090 25085 42cbfd 25086 4061b0 153 API calls 25085->25086 25087 42cc68 25086->25087 25088 4061b0 153 API calls 25087->25088 25089 42cc9c 25088->25089 25091 4061b0 153 API calls 25090->25091 25092 420eca 25091->25092 25093 420ef1 IsBadHugeReadPtr 25092->25093 25094 420f05 25093->25094 25095 420f5a 25093->25095 25096 41308c 154 API calls 25094->25096 25095->25085 25097 420f0a 25096->25097 25101 420dc8 25097->25101 25109 420cb8 25101->25109 25103 420def 25104 420e5c 25103->25104 25114 420be4 25103->25114 25105 4061b0 153 API calls 25104->25105 25106 420e7a 25105->25106 25108 41318c 153 API calls 25106->25108 25108->25095 25110 4061b0 153 API calls 25109->25110 25113 420cdc 25110->25113 25111 413288 2 API calls 25111->25113 25112 420d96 25112->25103 25113->25111 25113->25112 25115 420bf3 25114->25115 25117 420bfb 25114->25117 25118 420b3c 25115->25118 25117->25103 25119 413288 2 API calls 25118->25119 25120 420b5f 25119->25120 25120->25117 25354 68fdfc 25355 68fe0f 25354->25355 25356 68fe22 25355->25356 25357 68fe13 FindFirstFileA 25355->25357 25357->25356 25553 68f9c0 25558 689abf EnterCriticalSection 25553->25558 25555 68f9d0 25556 68f9ef 25555->25556 25557 68f9d4 CreateFileMappingA 25555->25557 25557->25556 25559 689b1d 25558->25559 25560 689b06 25558->25560 25559->25555 25560->25559 25561 689b36 GetCurrentProcess GetCurrentProcess DuplicateHandle 25560->25561 25561->25559 25562 689b5e 25561->25562 25563 68e6f9 3 API calls 25562->25563 25564 689b65 25563->25564 25566 690303 RaiseException RtlAllocateHeap HeapCreate 25564->25566 25566->25559 26295 4459e8 26296 4459f7 26295->26296 26297 445a38 26296->26297 26298 445514 153 API calls 26296->26298 26299 445a04 SetEvent PostThreadMessageA 26298->26299 26299->26296 26509 42e9fc 26510 42e734 153 API calls 26509->26510 26511 42ea06 26510->26511 26512 42ea4b 26511->26512 26514 42ea2a RtlDeleteCriticalSection 26511->26514 26513 42e7e8 ReleaseMutex 26512->26513 26515 42ea76 26513->26515 26514->26512 25121 68f7a3 25122 689bd7 9 API calls 25121->25122 25123 68f7b9 25122->25123 25124 68f7db 25123->25124 25125 68f7bd CreateFileA 25123->25125 25125->25124 25367 406598 10 API calls 26386 68fb9a 26391 68988d EnterCriticalSection 26386->26391 26388 68fbb6 26389 68fbba MapViewOfFile 26388->26389 26390 68fbd2 26388->26390 26389->26390 26392 6898fa 26391->26392 26393 6898e3 26391->26393 26392->26388 26393->26392 26394 689933 26393->26394 26395 689926 SetLastError 26393->26395 26396 689960 26394->26396 26397 689953 SetLastError 26394->26397 26395->26392 26398 689984 VirtualAlloc 26396->26398 26399 689972 26396->26399 26397->26392 26400 68999f 26398->26400 26401 6899a4 SetFilePointer 26398->26401 26399->26398 26400->26392 26401->26400 26406 6899cd 26401->26406 26402 689a1a 26404 689a39 26402->26404 26405 689a20 VirtualProtect 26402->26405 26403 68a7e1 29 API calls 26403->26406 26408 690303 RaiseException RtlAllocateHeap HeapCreate 26404->26408 26405->26400 26405->26404 26406->26400 26406->26402 26406->26403 26408->26400 26508 41abbc 153 API calls

                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                      Function 0042AC1C, Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 226COMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,CreateToolhelp32Snapshot), ref: 0042AC68
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,Thread32First,00000000,kernel32.dll,CreateToolhelp32Snapshot), ref: 0042AC7F
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,Thread32Next,00000000,kernel32.dll,Thread32First,00000000,kernel32.dll,CreateToolhelp32Snapshot), ref: 0042AC97
                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 0042ACDB
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: HandleModule$CurrentProcess
                                                                                                                                                                                      • String ID: CreateToolhelp32Snapshot$MZP$NtQuerySystemInformation$Thread32First$Thread32Next$kernel32.dll$ntdll.dll
                                                                                                                                                                                      • API String ID: 2298500976-1970166007
                                                                                                                                                                                      • Opcode ID: f016c38b36d5398fbdd9d4d233ba64581c94305994ffee6a9e41a52ec48a2b6f
                                                                                                                                                                                      • Instruction ID: 25c506a66158cd3355367edfedc91018c0085eac84d9a77a12a069d1e1ebf7d5
                                                                                                                                                                                      • Opcode Fuzzy Hash: f016c38b36d5398fbdd9d4d233ba64581c94305994ffee6a9e41a52ec48a2b6f
                                                                                                                                                                                      • Instruction Fuzzy Hash: E0718270F40218AFDB10EBA9D841BAEB7F8EB44704F51447AFD10E7281D678AD51CB6A
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0040648C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000000,005FA08C,?,0040627C,00400000,?,00000105,00000000,00000000,004062B8,0042E34B,00000000,0042E627), ref: 004064A8
                                                                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000000,005FA08C,?,0040627C,00400000,?,00000105,00000000), ref: 004064C6
                                                                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000000,005FA08C), ref: 004064E4
                                                                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406502
                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00406591,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040654B
                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,004066F8,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00406591,?,80000001), ref: 00406569
                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,00406598,00000000,00000000,00000005,00000000,00406591,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0040658B
                                                                                                                                                                                      • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004065A8
                                                                                                                                                                                      • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004065B5
                                                                                                                                                                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004065BB
                                                                                                                                                                                      • lstrlen.KERNEL32(00000000,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 004065E6
                                                                                                                                                                                      • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0040662D
                                                                                                                                                                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 0040663D
                                                                                                                                                                                      • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406665
                                                                                                                                                                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406675
                                                                                                                                                                                      • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,?,00000005,?,?), ref: 0040669B
                                                                                                                                                                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,?), ref: 004066AB
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                                                                                      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                                                      • API String ID: 1759228003-2375825460
                                                                                                                                                                                      • Opcode ID: 41e41b0db0f7f1ccb7cb8395cf69e8931c0eafefebc9b6fd29a6a813709a5f40
                                                                                                                                                                                      • Instruction ID: 35034cb9c8b39abfd1ed4ce7b6579fd55a354f176cf6ca7fa3e2609fe7cbbef7
                                                                                                                                                                                      • Opcode Fuzzy Hash: 41e41b0db0f7f1ccb7cb8395cf69e8931c0eafefebc9b6fd29a6a813709a5f40
                                                                                                                                                                                      • Instruction Fuzzy Hash: A351A771A4021C7AFB21D6A49C46FEF77FC9B04744F4104B7BA05F61C2EA789E848B68
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0041CE14, Relevance: 19.6, APIs: 3, Strings: 8, Instructions: 352COMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 601 41ce14-41ce65 call 404ca8 call 405280 call 405470 608 41ce67-41ce68 601->608 609 41ceac-41ceb4 601->609 610 41ce6a-41ce77 608->610 611 41d250 609->611 612 41ceba-41cebe 609->612 614 41ce79-41ce80 610->614 615 41cea8-41ceaa 610->615 613 41d257-41d282 call 4047f8 call 405350 call 4047f8 611->613 616 41cf63-41cf67 612->616 617 41cec4-41cecd 612->617 614->613 621 41ce86-41ce94 614->621 615->609 615->610 622 41cf69-41cf82 616->622 623 41cf9b-41cfae call 411714 616->623 618 41cf2f-41cf33 617->618 619 41cecf-41ced0 617->619 618->616 627 41cf35-41cf44 VirtualQuery 618->627 624 41ced2-41cee7 619->624 621->613 628 41ce9a-41cea3 call 41cd2c 621->628 622->623 629 41cf84-41cf99 622->629 633 41cfb3 623->633 631 41cee9-41cefa 624->631 632 41cefc-41cf0f 624->632 627->616 635 41cf46-41cf4d 627->635 628->613 629->623 630 41cfb8-41d044 call 41be64 * 5 call 411714 629->630 638 41d049-41d051 630->638 631->632 637 41cf26-41cf29 631->637 640 41cf11-41cf24 632->640 641 41cf2b-41cf2d 632->641 633->638 635->616 643 41cf4f-41cf53 635->643 637->618 645 41d053-41d05e 638->645 646 41d062-41d066 638->646 640->637 640->641 641->618 641->624 643->616 649 41cf55-41cf5e call 41cb28 643->649 645->646 650 41d247-41d24e 646->650 651 41d06c-41d073 646->651 649->616 650->613 655 41d075-41d07f GetVersion 651->655 656 41d09c-41d0a8 call 405edc 651->656 655->656 658 41d081-41d097 GetModuleHandleA call 40c358 655->658 665 41d137-41d147 call 405ed4 656->665 666 41d0ae-41d0af 656->666 658->656 675 41d149-41d150 665->675 676 41d18e-41d1d2 call 40556c 665->676 669 41d0b1-41d0b8 666->669 672 41d0ba-41d0ce 669->672 673 41d12f-41d131 669->673 672->673 677 41d0d0-41d12b call 405ed4 call 406090 672->677 673->665 673->669 679 41d152-41d16c call 406090 675->679 680 41d16e-41d18b call 406090 675->680 688 41d1f4-41d200 call 40484c 676->688 689 41d1d4-41d1f2 call 41cd80 call 40484c 676->689 677->673 679->676 680->676 697 41d205-41d211 call 405edc 688->697 689->697 697->613 702 41d213-41d214 697->702 703 41d216-41d224 702->703 704 41d241-41d243 703->704 705 41d226-41d23c call 41ce14 703->705 704->703 707 41d245 704->707 705->704 707->613
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041D283), ref: 0041CF3C
                                                                                                                                                                                      • GetVersion.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,0041D283), ref: 0041D075
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,?,00000000,00000000,00000000,00000000,00000000,0041D283), ref: 0041D086
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: HandleModuleQueryVersionVirtual
                                                                                                                                                                                      • String ID: @Halt0$@HandleAnyException$@HandleAutoException$@HandleFinally$@HandleOnException$DispatchMessageA$System$user32.dll
                                                                                                                                                                                      • API String ID: 1237424064-2702513104
                                                                                                                                                                                      • Opcode ID: 1379c6149f9f382d3fe842521ec3f57df3de91adc8bf4df1726b6523ff95646c
                                                                                                                                                                                      • Instruction ID: ee9e27a4e0ffd690c78b592a3592fbe3e8c5dd6835b98571a8b4d3104461112d
                                                                                                                                                                                      • Opcode Fuzzy Hash: 1379c6149f9f382d3fe842521ec3f57df3de91adc8bf4df1726b6523ff95646c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 39D1A170E442089BCB10DF69DCC5AEE77B2EB84314F24817AE5149B395C779ED86CB88
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042EB98, Relevance: 16.7, APIs: 3, Strings: 8, Instructions: 156memoryCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • EnterCriticalSection.KERNEL32(0072FFF8,00000000,0042ED69,?,00000000,00000000,00000000,00000000,00000000,?,0043707C,00000000,00000000,00000000), ref: 0042EBE4
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000018,00000000,0042ED47,?,0072FFF8,00000000,0042ED69,?,00000000,00000000,00000000,00000000,00000000,?,0043707C), ref: 0042EC1E
                                                                                                                                                                                      • LeaveCriticalSection.KERNEL32(0072FFF8,0042ED4E,0072FFF8,00000000,0042ED69,?,00000000,00000000,00000000,00000000,00000000,?,0043707C,00000000,00000000,00000000), ref: 0042ED41
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CriticalSection$AllocEnterLeaveLocal
                                                                                                                                                                                      • String ID: HttpAccount$HttpPassword$HttpServer$SmtpAccount$SmtpPassword$SmtpServer$iB$|pC
                                                                                                                                                                                      • API String ID: 716609888-2538785936
                                                                                                                                                                                      • Opcode ID: 359a05c34b916c2fa2df73e3abaa47fc6b3e0ead8dbd5e75bb7d7fed5bd0e2dd
                                                                                                                                                                                      • Instruction ID: b1a5dffe35c2b65eac377c160e100ab3d76b18143520182c00df121b29fdb422
                                                                                                                                                                                      • Opcode Fuzzy Hash: 359a05c34b916c2fa2df73e3abaa47fc6b3e0ead8dbd5e75bb7d7fed5bd0e2dd
                                                                                                                                                                                      • Instruction Fuzzy Hash: B2515475B101299FDB10EB9AD841ADEB7B9EB48704F90846BF400E7341DB78ED05CB69
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00406598, Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 796 406598-4065c9 lstrcpyn GetThreadLocale GetLocaleInfoA 797 4066b2-4066b9 796->797 798 4065cf-4065d3 796->798 799 4065d5-4065d9 798->799 800 4065df-4065f5 lstrlen 798->800 799->797 799->800 801 4065f8-4065fb 800->801 802 406607-40660f 801->802 803 4065fd-406605 801->803 802->797 805 406615-40661a 802->805 803->802 804 4065f7 803->804 804->801 806 406644-406646 805->806 807 40661c-406642 lstrcpyn LoadLibraryExA 805->807 806->797 808 406648-40664c 806->808 807->806 808->797 809 40664e-40667e lstrcpyn LoadLibraryExA 808->809 809->797 810 406680-4066b0 lstrcpyn LoadLibraryExA 809->810 810->797
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004065A8
                                                                                                                                                                                      • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004065B5
                                                                                                                                                                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004065BB
                                                                                                                                                                                      • lstrlen.KERNEL32(00000000,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 004065E6
                                                                                                                                                                                      • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0040662D
                                                                                                                                                                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 0040663D
                                                                                                                                                                                      • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406665
                                                                                                                                                                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406675
                                                                                                                                                                                      • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,?,00000005,?,?), ref: 0040669B
                                                                                                                                                                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,?), ref: 004066AB
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                                                                                                      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                                                      • API String ID: 1599918012-2375825460
                                                                                                                                                                                      • Opcode ID: 8079b842eedd49424861a0e0ef99779649cd7b20b458b88265d2ac509d6a4de3
                                                                                                                                                                                      • Instruction ID: 61454ffa90b4873eb83e5aa98ed909ba9c8c2f1453fa0c8e63582d35130b75c6
                                                                                                                                                                                      • Opcode Fuzzy Hash: 8079b842eedd49424861a0e0ef99779649cd7b20b458b88265d2ac509d6a4de3
                                                                                                                                                                                      • Instruction Fuzzy Hash: 0D316171E0021D6AFB25D6B49C86FEF7AEC8B04344F0515B7A605F62C2EA789F848B54
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0040B8E8, Relevance: 4.6, APIs: 3, Instructions: 84synchronizationnativeCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • NtdllDefWindowProc_A.NTDLL(?,?,?,?,00000000,0040BA4B), ref: 0040B922
                                                                                                                                                                                      • WaitForSingleObject.KERNEL32(00000254,000000FF,?,?,?,?,00000000,0040BA4B), ref: 0040B953
                                                                                                                                                                                      • ReleaseMutex.KERNEL32(00000254,0040B9C7,00000254,000000FF,?,?,?,?,00000000,0040BA4B), ref: 0040B9BA
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: MutexNtdllObjectProc_ReleaseSingleWaitWindow
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 250368104-0
                                                                                                                                                                                      • Opcode ID: 6773adef9bbb23e499ec1b3f3d4e19e4dfb5e9e8690b39ec665ce324eddf23a0
                                                                                                                                                                                      • Instruction ID: 50032811fb8e66da72b736ad8a7cf76f3f7a3248e7df676ebd229ae3824abea4
                                                                                                                                                                                      • Opcode Fuzzy Hash: 6773adef9bbb23e499ec1b3f3d4e19e4dfb5e9e8690b39ec665ce324eddf23a0
                                                                                                                                                                                      • Instruction Fuzzy Hash: D731A7B1604208AFCB11EF69DC8195A37A8FB48324721853AF904E72A0D738ED10CBAD
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042BA90, Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: HugeRead
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2080902951-0
                                                                                                                                                                                      • Opcode ID: 65bbda4cf2aacf3d839f4102b2621f1d7dc26343c2337852587084a0b08523a0
                                                                                                                                                                                      • Instruction ID: 3fb9157b490e494cd94c85aef85e79309f2ee38da51e1ff7ea6ec7a2e784775e
                                                                                                                                                                                      • Opcode Fuzzy Hash: 65bbda4cf2aacf3d839f4102b2621f1d7dc26343c2337852587084a0b08523a0
                                                                                                                                                                                      • Instruction Fuzzy Hash: C511A271F00228ABDB20CA59EC80B6FB7B8EF44320F444566E915E7785D738BD008BD9
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068FDFC, Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 00688FCF: EnterCriticalSection.KERNEL32(00695AC8), ref: 00688FF9
                                                                                                                                                                                      • FindFirstFileA.KERNEL32(?,?,?,?,?), ref: 0068FE19
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CriticalEnterFileFindFirstSection
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1600835406-0
                                                                                                                                                                                      • Opcode ID: 1e4e5e71357f83c645b8156b4636cc540aa6f05b7c39a9b91e975a545ac24d4f
                                                                                                                                                                                      • Instruction ID: 5b51dbf89591c75594d25a11677034ce37e16300b2fdd682685cc0ef4cc3afa3
                                                                                                                                                                                      • Opcode Fuzzy Hash: 1e4e5e71357f83c645b8156b4636cc540aa6f05b7c39a9b91e975a545ac24d4f
                                                                                                                                                                                      • Instruction Fuzzy Hash: 3CE0E23550010DFFCF01EFA0CD0088EBBBAEF18384B008025F91896221E772DB20AB50
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068EF5E, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 100%
                                                                                                                                                                                      			E0068EF5E() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(0x68ef6e); // executed
				return _t1;
			}




                                                                                                                                                                                      0x0068ef66
                                                                                                                                                                                      0x0068ef6d

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(0068EF6E,?,006885B0), ref: 0068EF66
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3192549508-0
                                                                                                                                                                                      • Opcode ID: b8407ae374422cf5aea255856646c419441e3d17fc18c8f88835fdf8cd24ef17
                                                                                                                                                                                      • Instruction ID: 765b59ec5eb171b47e7b3bec864eef9db4bd17b9c9fda8a4a54d384a54f2014c
                                                                                                                                                                                      • Opcode Fuzzy Hash: b8407ae374422cf5aea255856646c419441e3d17fc18c8f88835fdf8cd24ef17
                                                                                                                                                                                      • Instruction Fuzzy Hash: E5A0223208030CB30F003BE2BC0A8083B0EE000A203000002F30C02AA00A83E220CBB2
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00410CCC, Relevance: .4, Instructions: 444COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 6e56ffc53f83765ca6ab4aeb8ecbd74c6ffa0c8d44c0b2383d4b8dc6b6e154c0
                                                                                                                                                                                      • Instruction ID: d7fd00ceb946d41356d866ef423b35c0d97d9735a7937f30d3077fc3f3139d5f
                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e56ffc53f83765ca6ab4aeb8ecbd74c6ffa0c8d44c0b2383d4b8dc6b6e154c0
                                                                                                                                                                                      • Instruction Fuzzy Hash: AE121875A002099FCB14DF58C4C5A9ABBB1FF48354F158196E8489F366C7B8EDC2CB98
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 006882A0, Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 252memorylibraryloaderCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      C-Code - Quality: 100%
                                                                                                                                                                                      			E006882A0(void* _a4) {
				void* _v8;
				struct HINSTANCE__* _v12;
				intOrPtr* _v16;
				struct HINSTANCE__* _v20;
				void* _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				long _v52;
				signed int* _v56;
				void* _v60;
				signed int _v64;
				long _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				long _v80;
				signed int* _v84;
				intOrPtr _v88;
				long _v92;
				void* _t128;
				void* _t137;
				void* _t155;
				void* _t161;
				intOrPtr _t166;
				void* _t168;
				signed int _t189;
				signed int _t190;
				signed int _t206;
				signed int _t207;
				void* _t267;
				void* _t269;

				_v20 = GetModuleHandleA(0);
				_t128 = LocalAlloc(0x40, 0xd440); // executed
				_v8 = _t128;
				_v16 = _v20 +  *((intOrPtr*)(_v20 + 0x3c));
				if( *_v16 != 0x4550) {
					RaiseException(0xef000002, 0, 0, 0);
				}
				_v24 = 0;
				_v48 = _v16 + 0xfffffffffffffff0;
				_v56 = _v20 +  *((intOrPtr*)(_v48 + 0xc));
				_v44 = _v20 +  *((intOrPtr*)(_v48 + 0xc)) +  *((intOrPtr*)(_v48 + 0x10));
				_v28 = _v56;
				while(_v56 < _v44) {
					_v28 = 0x3c6ef375 + _v28 * 0x19660d;
					 *_v56 =  *_v56 ^ _v28;
					_v56 =  &(_v56[1]);
				}
				_v36 = _v20 +  *((intOrPtr*)(_v48 + 0xc));
				_v40 =  *_v36;
				_v52 =  *((intOrPtr*)(_v36 + 4));
				_t137 = LocalAlloc(0x40, _v52); // executed
				_v24 = _t137;
				if(_v24 == 0 || _v52 > 0x10000) {
					RaiseException(0xef0000fe, 0, 0, 0);
				}
				_t189 = _v52;
				_t267 = _v36 + 8;
				_t190 = _t189 >> 2;
				memcpy(_v24, _t267, _t190 << 2);
				memcpy(_t267 + _t190 + _t190, _t267, _t189 & 0x00000003);
				_v32 = E00688000(_v8, _v24, _v52, _v36, _v40);
				LocalFree(_v24);
				 *0x695a20 = GetCurrentProcess();
				_v12 = GetModuleHandleA("kernel32.dll");
				if(_v12 == 0) {
					RaiseException(0xef0000fd, 0, 0, 0);
				}
				 *0x695a10 = GetProcAddress(_v12, "FlushInstructionCache");
				if( *0x695a10 == 0) {
					RaiseException(0xef0000fc, 0, 0, 0);
				}
				_v60 = 0;
				_v76 = _v16 + 0xffffffffffffffa0;
				_v84 = _a4;
				_v72 = _v20 +  *((intOrPtr*)(_v76 + 0xc)) +  *((intOrPtr*)(_v76 + 0x10));
				_v64 = _v84;
				while(_v84 < _v72) {
					_v64 = 0x3c6ef375 + _v64 * 0x19660d;
					 *_v84 =  *_v84 ^ _v64;
					_v84 =  &(_v84[1]);
				}
				_v68 =  *_a4;
				_v80 =  *((intOrPtr*)(_a4 + 4));
				_t155 = LocalAlloc(0x40, _v80); // executed
				_v60 = _t155;
				if(_v60 == 0 || _v80 > 0x10000) {
					RaiseException(0xef0000ff, 0, 0, 0);
				}
				_t206 = _v80;
				_t269 = _a4 + 8;
				_t207 = _t206 >> 2;
				memcpy(_v60, _t269, _t207 << 2);
				memcpy(_t269 + _t207 + _t207, _t269, _t206 & 0x00000003);
				E00688000(_v8, _v60, _v80, _a4, _v68);
				_t161 =  *0x695a20; // 0xffffffff
				FlushInstructionCache(_t161, _a4, _v68);
				LocalFree(_v60);
				LocalFree(_v8);
				 *0x695a24 =  *0x006885E4;
				_t166 = E0068E6F9( *0x006885E4, 0x68); // executed
				_v88 = _t166;
				if(_v88 == 0) {
					_v92 = 0;
				} else {
					_v92 = E00688240(_v88);
				}
				 *0x006885E4 = _v92;
				_t168 = E0068EF5E(); // executed
				return _t168;
			}





































                                                                                                                                                                                      0x006882b0
                                                                                                                                                                                      0x006882ba
                                                                                                                                                                                      0x006882c0
                                                                                                                                                                                      0x006882cc
                                                                                                                                                                                      0x006882d8
                                                                                                                                                                                      0x006882e5
                                                                                                                                                                                      0x006882e5
                                                                                                                                                                                      0x006882eb
                                                                                                                                                                                      0x00688312
                                                                                                                                                                                      0x0068831e
                                                                                                                                                                                      0x00688330
                                                                                                                                                                                      0x00688336
                                                                                                                                                                                      0x00688344
                                                                                                                                                                                      0x0068835a
                                                                                                                                                                                      0x00688368
                                                                                                                                                                                      0x00688341
                                                                                                                                                                                      0x00688341
                                                                                                                                                                                      0x00688375
                                                                                                                                                                                      0x0068837d
                                                                                                                                                                                      0x00688386
                                                                                                                                                                                      0x0068838f
                                                                                                                                                                                      0x00688395
                                                                                                                                                                                      0x0068839c
                                                                                                                                                                                      0x006883b2
                                                                                                                                                                                      0x006883b2
                                                                                                                                                                                      0x006883b8
                                                                                                                                                                                      0x006883be
                                                                                                                                                                                      0x006883c6
                                                                                                                                                                                      0x006883c9
                                                                                                                                                                                      0x006883d0
                                                                                                                                                                                      0x006883ea
                                                                                                                                                                                      0x006883f1
                                                                                                                                                                                      0x006883fd
                                                                                                                                                                                      0x0068840d
                                                                                                                                                                                      0x00688414
                                                                                                                                                                                      0x00688421
                                                                                                                                                                                      0x00688421
                                                                                                                                                                                      0x00688436
                                                                                                                                                                                      0x00688442
                                                                                                                                                                                      0x0068844f
                                                                                                                                                                                      0x0068844f
                                                                                                                                                                                      0x00688455
                                                                                                                                                                                      0x0068847c
                                                                                                                                                                                      0x00688482
                                                                                                                                                                                      0x00688494
                                                                                                                                                                                      0x0068849a
                                                                                                                                                                                      0x006884a8
                                                                                                                                                                                      0x006884bf
                                                                                                                                                                                      0x006884cd
                                                                                                                                                                                      0x006884a5
                                                                                                                                                                                      0x006884a5
                                                                                                                                                                                      0x006884d6
                                                                                                                                                                                      0x006884df
                                                                                                                                                                                      0x006884e8
                                                                                                                                                                                      0x006884ee
                                                                                                                                                                                      0x006884f5
                                                                                                                                                                                      0x0068850b
                                                                                                                                                                                      0x0068850b
                                                                                                                                                                                      0x00688511
                                                                                                                                                                                      0x00688517
                                                                                                                                                                                      0x0068851f
                                                                                                                                                                                      0x00688522
                                                                                                                                                                                      0x00688529
                                                                                                                                                                                      0x0068853e
                                                                                                                                                                                      0x0068854b
                                                                                                                                                                                      0x00688551
                                                                                                                                                                                      0x0068855b
                                                                                                                                                                                      0x00688565
                                                                                                                                                                                      0x00688573
                                                                                                                                                                                      0x0068857b
                                                                                                                                                                                      0x00688583
                                                                                                                                                                                      0x0068858a
                                                                                                                                                                                      0x00688599
                                                                                                                                                                                      0x0068858c
                                                                                                                                                                                      0x00688594
                                                                                                                                                                                      0x00688594
                                                                                                                                                                                      0x006885a8
                                                                                                                                                                                      0x006885ab
                                                                                                                                                                                      0x006885b5

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 006882AA
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,0000D440), ref: 006882BA
                                                                                                                                                                                      • RaiseException.KERNEL32(EF000002,00000000,00000000,00000000), ref: 006882E5
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 0068838F
                                                                                                                                                                                      • RaiseException.KERNEL32(EF0000FE,00000000,00000000,00000000), ref: 006883B2
                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,00000000,?,?,?), ref: 006883F1
                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 006883F7
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(htSi), ref: 00688407
                                                                                                                                                                                      • RaiseException.KERNEL32(EF0000FD,00000000,00000000,00000000), ref: 00688421
                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,FlushInstructionCache), ref: 00688430
                                                                                                                                                                                      • RaiseException.KERNEL32(EF0000FC,00000000,00000000,00000000), ref: 0068844F
                                                                                                                                                                                        • Part of subcall function 00688240: InitializeCriticalSection.KERNEL32(00000000,00000000), ref: 0068825F
                                                                                                                                                                                        • Part of subcall function 00688240: InitializeCriticalSection.KERNEL32(-00000018), ref: 0068826C
                                                                                                                                                                                        • Part of subcall function 00688240: InitializeCriticalSection.KERNEL32(-00000030), ref: 00688279
                                                                                                                                                                                        • Part of subcall function 00688240: InitializeCriticalSection.KERNEL32(-00000048), ref: 00688286
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 006884E8
                                                                                                                                                                                      • RaiseException.KERNEL32(EF0000FF,00000000,00000000,00000000), ref: 0068850B
                                                                                                                                                                                      • FlushInstructionCache.KERNEL32(FFFFFFFF,00000000,?,00000000,?,00000000,?), ref: 00688551
                                                                                                                                                                                      • LocalFree.KERNEL32(00000000), ref: 0068855B
                                                                                                                                                                                      • LocalFree.KERNEL32(?), ref: 00688565
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Local$ExceptionRaise$CriticalInitializeSection$AllocFree$HandleModule$AddressCacheCurrentFlushInstructionProcProcess
                                                                                                                                                                                      • String ID: FlushInstructionCache$htSi
                                                                                                                                                                                      • API String ID: 3723771925-4113515290
                                                                                                                                                                                      • Opcode ID: c27f56af8ec5e0161befa5f7e861e330d02f9f7aa42f831fe33ad6ba02589f2d
                                                                                                                                                                                      • Instruction ID: 7db19623159e5ff8f0d0927498a404f4ec41325188fa5b0572661afa0a3e3e94
                                                                                                                                                                                      • Opcode Fuzzy Hash: c27f56af8ec5e0161befa5f7e861e330d02f9f7aa42f831fe33ad6ba02589f2d
                                                                                                                                                                                      • Instruction Fuzzy Hash: F0B1F974E01219EFCB08DF94D985BAEBBB6FF88300F248159E906AB394D770A941CF54
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00445B6C, Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 228threadCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 120 445b6c-445b9a GetCurrentThreadId 121 445b9c-445ba4 120->121 122 445ba9-445bb0 120->122 125 445ecf-445ed5 121->125 123 445bb2-445bbf GetCurrentThreadId 122->123 124 445bce-445bd0 122->124 123->124 126 445bc1-445bc9 123->126 127 445bd7-445be1 124->127 126->125 128 445be3-445be7 127->128 129 445be9-445bf8 VirtualFree 128->129 130 445bfa-445c04 128->130 129->130 130->128 131 445c06-445c0c 130->131 131->127 132 445c0e-445c29 call 42d6fc 131->132 135 445c6e-445c70 132->135 136 445c2b-445c3a call 42c800 132->136 137 445c72-445c77 call 44bb6c 135->137 138 445c79-445c7d 135->138 136->135 146 445c3c-445c5a call 406f48 * 2 136->146 137->138 141 445c87-445c8b 138->141 142 445c7f-445c84 call 44bb74 138->142 147 445cc1-445d1a GetCurrentThreadId call 42c174 141->147 148 445c8d-445c99 141->148 142->141 161 445c61-445c69 146->161 162 445c5c call 43e2f8 146->162 157 445d23-445d30 CreateEventA 147->157 158 445d1c-445d21 147->158 148->147 149 445c9b-445caa 148->149 149->147 154 445cac-445cbe 149->154 154->147 160 445d33-445d4c call 4325b8 157->160 158->160 166 445de2-445de5 call 445514 160->166 167 445d52-445d6b WriteFile 160->167 161->125 162->161 172 445dea-445dfe call 4325b8 166->172 169 445dd7-445de0 call 4071e8 167->169 170 445d6d-445d71 167->170 169->172 170->169 173 445d73-445d80 GetCurrentThreadId 170->173 176 445d82 173->176 177 445dcc-445dd2 WaitForSingleObject 173->177 179 445db8-445dc8 WaitForSingleObject 176->179 177->169 180 445d84-445d97 GetMessageA 179->180 181 445dca 179->181 182 445dad-445db6 PostQuitMessage 180->182 183 445d99-445dab TranslateMessage DispatchMessageA 180->183 181->169 182->169 183->179
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00445B8F
                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00445BB2
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CurrentThread
                                                                                                                                                                                      • String ID: 4``$8$EAbort$T$E
                                                                                                                                                                                      • API String ID: 2882836952-4154414372
                                                                                                                                                                                      • Opcode ID: 6992ce1acf9816ce0726acfc49b84a3e24821b4f2c12fdd4be1e55dd23eb3e72
                                                                                                                                                                                      • Instruction ID: d8edd05669640197017135662d52151e9e2030eae24a8bc5650f74f2d97cbc4c
                                                                                                                                                                                      • Opcode Fuzzy Hash: 6992ce1acf9816ce0726acfc49b84a3e24821b4f2c12fdd4be1e55dd23eb3e72
                                                                                                                                                                                      • Instruction Fuzzy Hash: 91816D70D047499FEF11DFA5C885BAEBBB4EF08314F24856BE814E7282D738A941CB59
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068CF7A, Relevance: 28.6, APIs: 14, Strings: 2, Instructions: 648libraryCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 184 68cf7a-68cfed GetModuleHandleA 185 68d019-68d03e call 68e9c8 call 68ea26 call 68ac70 184->185 186 68cfef-68d014 LoadLibraryA call 690476 184->186 196 68d06a-68d08c call 68edf2 GetModuleHandleA 185->196 197 68d040-68d058 LoadLibraryA call 690476 185->197 191 68d8de-68d8ec 186->191 202 68d08e-68d0aa call 690476 196->202 203 68d0af-68d0c1 call 689bd7 196->203 201 68d05d-68d065 197->201 201->191 202->191 208 68d0d3-68d10d call 689ed0 call 68e6f9 call 68a7e1 203->208 209 68d0c3-68d0c7 203->209 218 68d10f-68d113 208->218 219 68d115-68d11a call 68e6e1 208->219 209->208 210 68d0c9-68d0ce call 68e6e1 209->210 210->208 218->219 220 68d11f-68d165 call 689ce6 call 68e6f9 call 68a7e1 218->220 219->220 228 68d16d-68d172 call 68e6e1 220->228 229 68d167-68d16b 220->229 230 68d177-68d180 228->230 229->228 229->230 232 68d18c-68d24b call 68cceb call 68e6f9 * 2 call 689ce6 call 68a7e1 230->232 233 68d182-68d187 call 68e6e1 230->233 245 68d24d-68d251 232->245 246 68d253-68d258 call 68e6e1 232->246 233->232 245->246 247 68d25d-68d2fe 245->247 246->247 250 68d5cf-68d5d3 247->250 251 68d304-68d333 247->251 252 68d5dc-68d5e0 250->252 253 68d339-68d344 251->253 254 68d404-68d40f 251->254 255 68d60a-68d781 CreateFileA 252->255 256 68d5e2-68d5e6 252->256 253->254 257 68d34a-68d35b 253->257 258 68d593-68d5c3 call 68cceb 254->258 259 68d415-68d426 254->259 264 68d78d-68d7a9 WriteFile 255->264 265 68d783-68d788 call 68e6e1 255->265 260 68d5e8 256->260 261 68d5ea-68d5ee 256->261 257->254 262 68d361-68d3da call 68cceb call 68e6f9 call 68cceb call 689ce6 call 68a7e1 257->262 280 68d5ca 258->280 259->258 263 68d42c-68d485 VirtualAlloc call 689ce6 call 68a7e1 259->263 267 68d5d5-68d5d9 260->267 268 68d5f0 261->268 269 68d5f2-68d608 261->269 309 68d3dc-68d3e0 262->309 310 68d3e2-68d3e7 call 68e6e1 262->310 291 68d48d-68d492 call 68e6e1 263->291 292 68d487-68d48b 263->292 273 68d7ab-68d7bd WriteFile 264->273 274 68d7c3-68d805 WriteFile FlushFileBuffers CloseHandle LoadLibraryA 264->274 265->264 267->252 268->267 269->267 273->274 278 68d82b-68d84a call 690476 274->278 279 68d807-68d826 call 68ed30 DeleteFileA call 68e6e1 274->279 278->191 279->278 280->250 294 68d497-68d4c3 291->294 292->291 292->294 297 68d4d2-68d4e5 294->297 298 68d55f-68d581 VirtualFree 297->298 299 68d4e7-68d51e 297->299 298->258 301 68d52a-68d53e 299->301 302 68d520-68d525 call 68e6e1 299->302 305 68d54d 301->305 306 68d540-68d54b 301->306 302->301 305->298 306->305 308 68d54f-68d55a call 68cf7a 306->308 308->297 309->310 311 68d3ec-68d3ff 309->311 310->311 311->280
                                                                                                                                                                                      C-Code - Quality: 83%
                                                                                                                                                                                      			E0068CF7A(CHAR* __ecx) {
				signed int _v8;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _v80;
				char _v84;
				signed int _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				struct HINSTANCE__* _v104;
				signed int _v108;
				intOrPtr _v112;
				void* _v116;
				intOrPtr* _v120;
				long* _v124;
				intOrPtr _v128;
				signed int _v132;
				void* _v136;
				signed int _v140;
				intOrPtr _v144;
				signed int _v148;
				char* _v152;
				signed int _v156;
				long _v160;
				struct HINSTANCE__* _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				CHAR* _v212;
				struct HINSTANCE__* _v216;
				struct HINSTANCE__* _v220;
				struct HINSTANCE__* _v224;
				struct HINSTANCE__* _v228;
				struct HINSTANCE__* _t402;
				void* _t403;
				signed int _t409;
				signed int _t412;
				signed int _t415;
				signed int _t419;
				signed int _t422;
				signed int _t435;
				signed int _t447;
				struct HINSTANCE__* _t519;
				signed int _t529;
				void* _t536;
				void* _t543;
				signed int _t546;
				void* _t547;
				signed int _t556;
				signed int _t564;
				void* _t570;
				signed int _t572;
				signed int _t577;
				void* _t579;
				void* _t581;
				signed int _t585;
				signed int _t586;
				signed int _t596;
				struct HINSTANCE__* _t604;
				struct HINSTANCE__* _t606;
				void* _t611;
				void* _t615;
				void* _t622;
				signed int _t624;
				signed int _t625;
				signed int _t645;
				signed int _t652;
				void* _t679;
				void* _t689;
				void* _t692;
				void* _t693;
				void* _t714;
				intOrPtr _t732;

				_t610 = __ecx;
				_push(0xffffffff);
				_push(0x6934d8);
				_push(0x69052c);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t732;
				_push(__ecx);
				_push(__ecx);
				_v28 = _t732 - 0xcc;
				_v212 = __ecx;
				_v60 = _v60 | 0xffffffff;
				_v56 = _v56 | 0xffffffff;
				_v80 = _v80 | 0xffffffff;
				_v52 = _v52 & 0x00000000;
				_v48 = _v48 & 0x00000000;
				_v32 = _v32 & 0x00000000;
				_v44 = _v44 & 0x00000000;
				_v76 = _v76 & 0x00000000;
				_v68 = _v68 & 0x00000000;
				_v72 = _v72 & 0x00000000;
				_v64 = _v64 & 0x00000000;
				_v40 = _v40 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t402 = GetModuleHandleA(_v212); // executed
				if(_t402 == 0) {
					_t403 = E0068E9C8(_t610, _v212);
					_pop(_t611);
					_v36 = E0068EA26(_t611, _t403);
					_t613 = _v36;
					_v96 = E0068AC70(_v36);
					__eflags = _v96;
					if(_v96 != 0) {
						_v40 = E0068EDF2(_t613, _v96, 0, 0);
						_v104 = GetModuleHandleA(_v40);
						__eflags = _v104;
						if(__eflags == 0) {
							_t409 = E00689BD7(_t613, __eflags, _v36, 0, 0,  &_v60);
							__eflags = _t409;
							if(_t409 == 0) {
								__eflags = _v60;
								if(_v60 == 0) {
									_t613 = 0xef00000f;
									E0068E6E1(_t409, 0xef00000f);
								}
							}
							L00689ED0(_t613, _v60,  &_v84);
							_t412 = E0068E6F9(_t613, 0x40);
							_pop(0xef00000f);
							_v168 = _t412;
							_v72 = _v168;
							_t415 = E0068A7E1(0xef00000f, _v60, _v72, 0x40, 0, 0,  &_v88);
							__eflags = _t415;
							if(_t415 == 0) {
								L11:
								E0068E6E1(_t415, 0xef00000f);
							} else {
								__eflags = _v88;
								if(_v88 == 0) {
									goto L11;
								}
							}
							E00689CE6(0xef00000f, _v60,  *((intOrPtr*)(_v72 + 0x3c)), 0, 0);
							_t419 = E0068E6F9(0xef00000f, 0xf8);
							_pop(_t615);
							_v172 = _t419;
							_v68 = _v172;
							_t422 = E0068A7E1(_t615, _v60, _v68, 0xf8, 0, 0,  &_v88);
							__eflags = _t422;
							if(_t422 == 0) {
								L14:
								E0068E6E1(_t422, 0xef00000f);
							} else {
								__eflags = _v88;
								if(_v88 == 0) {
									goto L14;
								}
							}
							_t424 = _v68;
							__eflags =  *_v68 - 0x4550;
							if( *_v68 != 0x4550) {
								E0068E6E1(_t424, 0xef00000c);
							}
							_t79 = ( *(_v68 + 0x14) & 0x0000ffff) + 0x18; // 0x18
							_v100 = _v68 + _t79 - _v68 +  *((intOrPtr*)(_v72 + 0x3c));
							_v92 = _v100 + ( *(_v68 + 6) & 0x0000ffff) * 0x28;
							_t435 = E0068CCEB(_v100 + ( *(_v68 + 6) & 0x0000ffff) * 0x28, _v92 + 0x28, 0x200);
							_pop(_t622);
							_v52 = _t435;
							_v176 = E0068E6F9(_t622, _v52);
							_v32 = _v176;
							_t624 = _v52;
							_t714 = _v32;
							_t625 = _t624 >> 2;
							memset(_t714 + _t625, memset(_t714, 0, _t625 << 2), (_t624 & 0x00000003) << 0);
							_v180 = E0068E6F9(0, 0x200);
							_v76 = _v180;
							memset(_v76, 0x90909090, 0x80 << 2);
							E00689CE6(0, _v60, 0, 0, 0);
							_t447 = E0068A7E1(0, _v60, _v32, _v92, 0, 0,  &_v88);
							__eflags = _t447;
							if(_t447 == 0) {
								L19:
								E0068E6E1(_t447, 0xef00000f);
							} else {
								__eflags = _v88;
								if(_v88 == 0) {
									goto L19;
								}
							}
							_v128 = _v32 +  *((intOrPtr*)(_v32 + 0x3c));
							_v116 = _v128 + ( *(_v128 + 0x14) & 0x0000ffff) + 0x18;
							_v112 = _v116 + ( *(_v128 + 6) & 0x0000ffff) * 0x28;
							_v120 = _v128 + 0x88;
							_v108 = _v128 + 0x80;
							 *(_v128 + 0x24) =  *(_v128 + 0x24) & 0x00000000;
							 *(_v128 + 0x20) =  *(_v128 + 0x20) & 0x00000000;
							 *(_v128 + 0x1c) =  *(_v128 + 0x1c) & 0x00000000;
							 *((intOrPtr*)(_v76 + 0x34)) =  *((intOrPtr*)(_v128 + 0xa0));
							 *((intOrPtr*)(_v76 + 0x38)) =  *((intOrPtr*)(_v128 + 0xa4));
							 *((intOrPtr*)(_v76 + 0x3c)) =  *((intOrPtr*)(_v128 + 0x80));
							_v124 = _v76 + 0x40;
							while(1) {
								__eflags = _v116 - _v112;
								if(_v116 >= _v112) {
									break;
								}
								 *_v124 =  *(_v116 + 0x14);
								_v124 =  &(_v124[1]);
								 *_v124 =  *(_v116 + 0x10);
								_v124 =  &(_v124[1]);
								__eflags =  *0x695a14 - 2;
								if( *0x695a14 >= 2) {
									L30:
									_t536 = _v116;
									_t674 = _v108;
									__eflags =  *((intOrPtr*)(_t536 + 0xc)) -  *_v108;
									if( *((intOrPtr*)(_t536 + 0xc)) <=  *_v108) {
										_t547 = _v116;
										_t679 = _v116;
										_t674 = _v108;
										__eflags =  *((intOrPtr*)(_t547 + 0xc)) +  *((intOrPtr*)(_t679 + 0x10)) -  *_v108;
										if( *((intOrPtr*)(_t547 + 0xc)) +  *((intOrPtr*)(_t679 + 0x10)) >  *_v108) {
											_v136 = _v136 & 0x00000000;
											_v8 = 1;
											_v136 = VirtualAlloc(0,  *(_v116 + 0x10), 0x1000, 4);
											E00689CE6(_t674, _v60,  *(_v116 + 0x14), 0, 0);
											_t556 = E0068A7E1(_t674, _v60, _v136,  *(_v116 + 0x10), 0, 0,  &_v88);
											__eflags = _t556;
											if(_t556 == 0) {
												L34:
												E0068E6E1(_t556, 0xef00000f);
											} else {
												__eflags = _v88;
												if(_v88 == 0) {
													goto L34;
												}
											}
											_v144 =  *((intOrPtr*)(_v116 + 0xc));
											_v140 = _v136 +  *_v108 - _v144;
											_v148 = _v148 & 0x00000000;
											while(1) {
												_t564 =  *(_v108 + 4);
												_t674 = 0x14;
												__eflags = _v148 - _t564 / _t674;
												if(_v148 >= _t564 / _t674) {
													break;
												}
												_v152 = _v136 +  *((intOrPtr*)(_v140 + 0xc + _v148 * 0x14)) - _v144;
												_t570 = _v116;
												__eflags = _v152 - _v136 +  *((intOrPtr*)(_t570 + 0x10));
												if(_v152 > _v136 +  *((intOrPtr*)(_t570 + 0x10))) {
													E0068E6E1(_t570, 0xef000017);
												}
												_t572 = _v148 * 0x14;
												_t674 = _v140;
												__eflags =  *(_t674 + _t572 + 0xc);
												if( *(_t674 + _t572 + 0xc) == 0) {
													L42:
												} else {
													__eflags =  *_v152;
													if( *_v152 != 0) {
														E0068CF7A(_v152);
														_t577 = _v148 + 1;
														__eflags = _t577;
														_v148 = _t577;
														continue;
													} else {
														goto L42;
													}
												}
												break;
											}
											VirtualFree(_v136,  *(_v116 + 0x10), 0x8000);
											_v136 = _v136 & 0x00000000;
											_v8 = _v8 & 0x00000000;
										}
									}
									 *(_v128 + 0x24) = E0068CCEB(_t674,  *(_v116 + 8),  *((intOrPtr*)(_v128 + 0x38))) +  *(_v128 + 0x24);
									 *(_v116 + 0x10) =  *(_v116 + 0x10) & 0x00000000;
									_t543 = _v116;
									_t278 = _t543 + 0x14;
									 *_t278 =  *(_t543 + 0x14) & 0x00000000;
									__eflags =  *_t278;
									 *((intOrPtr*)(_v116 + 0x24)) = 0xc0000080;
								} else {
									_t579 = _v116;
									__eflags =  *((intOrPtr*)(_t579 + 0xc)) -  *_v120;
									if( *((intOrPtr*)(_t579 + 0xc)) >  *_v120) {
										goto L30;
									} else {
										_t581 = _v116;
										_t689 = _v116;
										_t690 = _v120;
										__eflags =  *((intOrPtr*)(_t581 + 0xc)) +  *((intOrPtr*)(_t689 + 0x10)) -  *_v120;
										if( *((intOrPtr*)(_t581 + 0xc)) +  *((intOrPtr*)(_t689 + 0x10)) <=  *_v120) {
											goto L30;
										} else {
											_t585 = E0068CCEB(_t690,  *(_v116 + 0x10), 0x200);
											_pop(_t692);
											_v48 = _t585;
											_t586 = E0068E6F9(_t692, _v48);
											_pop(_t693);
											_v184 = _t586;
											_v44 = _v184;
											 *(_v128 + 0x20) = E0068CCEB(_t693,  *(_v116 + 8),  *((intOrPtr*)(_v128 + 0x38))) +  *(_v128 + 0x20);
											E00689CE6(_v128, _v60,  *(_v116 + 0x14), 0, 0);
											_t596 = E0068A7E1(_v128, _v60, _v44,  *(_v116 + 0x10), 0, 0,  &_v88);
											__eflags = _t596;
											if(_t596 == 0) {
												L28:
												E0068E6E1(_t596, 0xef00000f);
											} else {
												__eflags = _v88;
												if(_v88 == 0) {
													goto L28;
												}
											}
											 *(_v116 + 0x14) = _v52;
											 *((intOrPtr*)(_v116 + 0x24)) = 0xc0000040;
										}
									}
								}
								_t546 = _v116 + 0x28;
								__eflags = _t546;
								_v116 = _t546;
							}
							_v132 = _v132 & 0x00000000;
							while(1) {
								__eflags = _v132 - 0x10;
								if(_v132 >= 0x10) {
									break;
								}
								__eflags = _v132;
								if(_v132 != 0) {
									__eflags = _v132 - 2;
									if(_v132 != 2) {
										 *(_v128 + 0x7c + _v132 * 8) =  *(_v128 + 0x7c + _v132 * 8) & 0x00000000;
										 *(_v128 + 0x78 + _v132 * 8) =  *(_v128 + 0x78 + _v132 * 8) & 0x00000000;
									}
								}
								_t529 = _v132 + 1;
								__eflags = _t529;
								_v132 = _t529;
							}
							_t645 = 0xa;
							memset(_v116, 0, _t645 << 2);
							 *(_v116 + 0x14) = _v52 + _v48;
							 *((intOrPtr*)(_v116 + 0xc)) =  *((intOrPtr*)(_v128 + 0x50));
							asm("movsd");
							asm("movsw");
							 *(_v116 + 8) = 0x200;
							 *(_v116 + 0x10) = 0x200;
							 *((intOrPtr*)(_v116 + 0x24)) = 0xc0000020;
							 *(_v128 + 0x3c) = 0x200;
							 *((intOrPtr*)(_v128 + 0x50)) =  *((intOrPtr*)(_v128 + 0x50)) + 0x1000;
							 *(_v128 + 0x1c) =  *(_v128 + 0x1c) + 0x1000;
							_t652 = 5;
							memcpy(_v76, 0x690bd7, _t652 << 2);
							asm("movsw");
							asm("movsb");
							_v156 = _v76 + 1;
							 *(_v156 + 1) =  *(_v128 + 0x28);
							_v156 = _v156 + 5;
							 *(_v156 + 1) = _v36;
							_v156 = _v156 + 5;
							 *(_v156 + 1) = _v60;
							_v156 = _v156 + 5;
							_v156 = _v156 + 1;
							 *(_v156 + 1) = 0x68cddb;
							_v156 = _v156 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							 *((intOrPtr*)(_v76 + 0x24)) = 8;
							 *((intOrPtr*)(_v128 + 0xa4)) = 8;
							 *((intOrPtr*)(_v128 + 0xa0)) =  *((intOrPtr*)(_v116 + 0xc)) + 0x20;
							 *(_v128 + 0x28) =  *(_v116 + 0xc);
							_t661 = _v128;
							 *(_v128 + 6) =  *(_v128 + 6) + 1;
							_v80 = CreateFileA(_v40, 0x40000000, 0, 0, 2, 0, 0);
							__eflags = _v80 - 0xffffffff;
							if(_v80 == 0xffffffff) {
								_t661 = 0xef000011;
								E0068E6E1(_t509, 0xef000011);
							}
							WriteFile(_v80, _v32, _v52,  &_v160, 0);
							__eflags = _v44;
							if(_v44 != 0) {
								WriteFile(_v80, _v44, _v48,  &_v160, 0);
							}
							WriteFile(_v80, _v76, 0x200,  &_v160, 0);
							FlushFileBuffers(_v80);
							CloseHandle(_v80);
							_v164 = LoadLibraryA(_v40);
							__eflags = _v164;
							if(_v164 == 0) {
								E0068ED30(_t661, "Z:\Projects\molestudio\molebox2\bootup\mbx_DLL.cpp", 0x174);
								E0068E6E1(DeleteFileA(_v40), 0xef000010);
							}
							_v228 = _v164;
							0x690476( &_v20, 0xffffffff);
							_t519 = _v228;
						} else {
							_v224 = _v104;
							0x690476( &_v20, 0xffffffff);
							_t519 = _v224;
						}
					} else {
						_t604 = LoadLibraryA(_v212); // executed
						_v220 = _t604;
						0x690476( &_v20, 0xffffffff);
						_t519 = _v220;
					}
				} else {
					_t606 = LoadLibraryA(_v212);
					_v216 = _t606;
					0x690476( &_v20, 0xffffffff);
					_t519 = _v216;
				}
				 *[fs:0x0] = _v20;
				return _t519;
			}


























































































                                                                                                                                                                                      0x0068cf7a
                                                                                                                                                                                      0x0068cf7d
                                                                                                                                                                                      0x0068cf7f
                                                                                                                                                                                      0x0068cf84
                                                                                                                                                                                      0x0068cf8f
                                                                                                                                                                                      0x0068cf90
                                                                                                                                                                                      0x0068cf97
                                                                                                                                                                                      0x0068cf98
                                                                                                                                                                                      0x0068cfa2
                                                                                                                                                                                      0x0068cfa5
                                                                                                                                                                                      0x0068cfab
                                                                                                                                                                                      0x0068cfaf
                                                                                                                                                                                      0x0068cfb3
                                                                                                                                                                                      0x0068cfb7
                                                                                                                                                                                      0x0068cfbb
                                                                                                                                                                                      0x0068cfbf
                                                                                                                                                                                      0x0068cfc3
                                                                                                                                                                                      0x0068cfc7
                                                                                                                                                                                      0x0068cfcb
                                                                                                                                                                                      0x0068cfcf
                                                                                                                                                                                      0x0068cfd3
                                                                                                                                                                                      0x0068cfd7
                                                                                                                                                                                      0x0068cfdb
                                                                                                                                                                                      0x0068cfe5
                                                                                                                                                                                      0x0068cfed
                                                                                                                                                                                      0x0068d01f
                                                                                                                                                                                      0x0068d024
                                                                                                                                                                                      0x0068d02c
                                                                                                                                                                                      0x0068d02f
                                                                                                                                                                                      0x0068d037
                                                                                                                                                                                      0x0068d03a
                                                                                                                                                                                      0x0068d03e
                                                                                                                                                                                      0x0068d079
                                                                                                                                                                                      0x0068d085
                                                                                                                                                                                      0x0068d088
                                                                                                                                                                                      0x0068d08c
                                                                                                                                                                                      0x0068d0ba
                                                                                                                                                                                      0x0068d0bf
                                                                                                                                                                                      0x0068d0c1
                                                                                                                                                                                      0x0068d0c3
                                                                                                                                                                                      0x0068d0c7
                                                                                                                                                                                      0x0068d0c9
                                                                                                                                                                                      0x0068d0ce
                                                                                                                                                                                      0x0068d0ce
                                                                                                                                                                                      0x0068d0c7
                                                                                                                                                                                      0x0068d0da
                                                                                                                                                                                      0x0068d0e1
                                                                                                                                                                                      0x0068d0e6
                                                                                                                                                                                      0x0068d0e7
                                                                                                                                                                                      0x0068d0f3
                                                                                                                                                                                      0x0068d106
                                                                                                                                                                                      0x0068d10b
                                                                                                                                                                                      0x0068d10d
                                                                                                                                                                                      0x0068d115
                                                                                                                                                                                      0x0068d11a
                                                                                                                                                                                      0x0068d10f
                                                                                                                                                                                      0x0068d10f
                                                                                                                                                                                      0x0068d113
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068d113
                                                                                                                                                                                      0x0068d12c
                                                                                                                                                                                      0x0068d136
                                                                                                                                                                                      0x0068d13b
                                                                                                                                                                                      0x0068d13c
                                                                                                                                                                                      0x0068d148
                                                                                                                                                                                      0x0068d15e
                                                                                                                                                                                      0x0068d163
                                                                                                                                                                                      0x0068d165
                                                                                                                                                                                      0x0068d16d
                                                                                                                                                                                      0x0068d172
                                                                                                                                                                                      0x0068d167
                                                                                                                                                                                      0x0068d167
                                                                                                                                                                                      0x0068d16b
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068d16b
                                                                                                                                                                                      0x0068d177
                                                                                                                                                                                      0x0068d17a
                                                                                                                                                                                      0x0068d180
                                                                                                                                                                                      0x0068d187
                                                                                                                                                                                      0x0068d187
                                                                                                                                                                                      0x0068d196
                                                                                                                                                                                      0x0068d1a3
                                                                                                                                                                                      0x0068d1b5
                                                                                                                                                                                      0x0068d1c4
                                                                                                                                                                                      0x0068d1ca
                                                                                                                                                                                      0x0068d1cb
                                                                                                                                                                                      0x0068d1d7
                                                                                                                                                                                      0x0068d1e3
                                                                                                                                                                                      0x0068d1e6
                                                                                                                                                                                      0x0068d1eb
                                                                                                                                                                                      0x0068d1f0
                                                                                                                                                                                      0x0068d1fa
                                                                                                                                                                                      0x0068d207
                                                                                                                                                                                      0x0068d213
                                                                                                                                                                                      0x0068d223
                                                                                                                                                                                      0x0068d22e
                                                                                                                                                                                      0x0068d244
                                                                                                                                                                                      0x0068d249
                                                                                                                                                                                      0x0068d24b
                                                                                                                                                                                      0x0068d253
                                                                                                                                                                                      0x0068d258
                                                                                                                                                                                      0x0068d24d
                                                                                                                                                                                      0x0068d24d
                                                                                                                                                                                      0x0068d251
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068d251
                                                                                                                                                                                      0x0068d266
                                                                                                                                                                                      0x0068d277
                                                                                                                                                                                      0x0068d289
                                                                                                                                                                                      0x0068d294
                                                                                                                                                                                      0x0068d29f
                                                                                                                                                                                      0x0068d2a5
                                                                                                                                                                                      0x0068d2ac
                                                                                                                                                                                      0x0068d2b3
                                                                                                                                                                                      0x0068d2c3
                                                                                                                                                                                      0x0068d2d2
                                                                                                                                                                                      0x0068d2e1
                                                                                                                                                                                      0x0068d2ea
                                                                                                                                                                                      0x0068d2f8
                                                                                                                                                                                      0x0068d2fb
                                                                                                                                                                                      0x0068d2fe
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068d30d
                                                                                                                                                                                      0x0068d315
                                                                                                                                                                                      0x0068d321
                                                                                                                                                                                      0x0068d329
                                                                                                                                                                                      0x0068d32c
                                                                                                                                                                                      0x0068d333
                                                                                                                                                                                      0x0068d404
                                                                                                                                                                                      0x0068d404
                                                                                                                                                                                      0x0068d407
                                                                                                                                                                                      0x0068d40d
                                                                                                                                                                                      0x0068d40f
                                                                                                                                                                                      0x0068d415
                                                                                                                                                                                      0x0068d41b
                                                                                                                                                                                      0x0068d421
                                                                                                                                                                                      0x0068d424
                                                                                                                                                                                      0x0068d426
                                                                                                                                                                                      0x0068d42c
                                                                                                                                                                                      0x0068d433
                                                                                                                                                                                      0x0068d44f
                                                                                                                                                                                      0x0068d462
                                                                                                                                                                                      0x0068d47e
                                                                                                                                                                                      0x0068d483
                                                                                                                                                                                      0x0068d485
                                                                                                                                                                                      0x0068d48d
                                                                                                                                                                                      0x0068d492
                                                                                                                                                                                      0x0068d487
                                                                                                                                                                                      0x0068d487
                                                                                                                                                                                      0x0068d48b
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068d48b
                                                                                                                                                                                      0x0068d49d
                                                                                                                                                                                      0x0068d4b6
                                                                                                                                                                                      0x0068d4bc
                                                                                                                                                                                      0x0068d4d2
                                                                                                                                                                                      0x0068d4d5
                                                                                                                                                                                      0x0068d4dc
                                                                                                                                                                                      0x0068d4df
                                                                                                                                                                                      0x0068d4e5
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068d506
                                                                                                                                                                                      0x0068d50c
                                                                                                                                                                                      0x0068d518
                                                                                                                                                                                      0x0068d51e
                                                                                                                                                                                      0x0068d525
                                                                                                                                                                                      0x0068d525
                                                                                                                                                                                      0x0068d530
                                                                                                                                                                                      0x0068d533
                                                                                                                                                                                      0x0068d539
                                                                                                                                                                                      0x0068d53e
                                                                                                                                                                                      0x0068d54d
                                                                                                                                                                                      0x0068d540
                                                                                                                                                                                      0x0068d549
                                                                                                                                                                                      0x0068d54b
                                                                                                                                                                                      0x0068d555
                                                                                                                                                                                      0x0068d4cb
                                                                                                                                                                                      0x0068d4cb
                                                                                                                                                                                      0x0068d4cc
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068d54b
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068d53e
                                                                                                                                                                                      0x0068d570
                                                                                                                                                                                      0x0068d576
                                                                                                                                                                                      0x0068d57d
                                                                                                                                                                                      0x0068d57d
                                                                                                                                                                                      0x0068d426
                                                                                                                                                                                      0x0068d5af
                                                                                                                                                                                      0x0068d5b5
                                                                                                                                                                                      0x0068d5b9
                                                                                                                                                                                      0x0068d5bc
                                                                                                                                                                                      0x0068d5bc
                                                                                                                                                                                      0x0068d5bc
                                                                                                                                                                                      0x0068d5c3
                                                                                                                                                                                      0x0068d339
                                                                                                                                                                                      0x0068d339
                                                                                                                                                                                      0x0068d342
                                                                                                                                                                                      0x0068d344
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068d34a
                                                                                                                                                                                      0x0068d34a
                                                                                                                                                                                      0x0068d350
                                                                                                                                                                                      0x0068d356
                                                                                                                                                                                      0x0068d359
                                                                                                                                                                                      0x0068d35b
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068d361
                                                                                                                                                                                      0x0068d36c
                                                                                                                                                                                      0x0068d372
                                                                                                                                                                                      0x0068d373
                                                                                                                                                                                      0x0068d379
                                                                                                                                                                                      0x0068d37e
                                                                                                                                                                                      0x0068d37f
                                                                                                                                                                                      0x0068d38b
                                                                                                                                                                                      0x0068d3aa
                                                                                                                                                                                      0x0068d3ba
                                                                                                                                                                                      0x0068d3d3
                                                                                                                                                                                      0x0068d3d8
                                                                                                                                                                                      0x0068d3da
                                                                                                                                                                                      0x0068d3e2
                                                                                                                                                                                      0x0068d3e7
                                                                                                                                                                                      0x0068d3dc
                                                                                                                                                                                      0x0068d3dc
                                                                                                                                                                                      0x0068d3e0
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068d3e0
                                                                                                                                                                                      0x0068d3f2
                                                                                                                                                                                      0x0068d3f8
                                                                                                                                                                                      0x0068d3f8
                                                                                                                                                                                      0x0068d35b
                                                                                                                                                                                      0x0068d344
                                                                                                                                                                                      0x0068d2f2
                                                                                                                                                                                      0x0068d2f2
                                                                                                                                                                                      0x0068d2f5
                                                                                                                                                                                      0x0068d2f5
                                                                                                                                                                                      0x0068d5cf
                                                                                                                                                                                      0x0068d5dc
                                                                                                                                                                                      0x0068d5dc
                                                                                                                                                                                      0x0068d5e0
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068d5e2
                                                                                                                                                                                      0x0068d5e6
                                                                                                                                                                                      0x0068d5ea
                                                                                                                                                                                      0x0068d5ee
                                                                                                                                                                                      0x0068d5f8
                                                                                                                                                                                      0x0068d603
                                                                                                                                                                                      0x0068d603
                                                                                                                                                                                      0x0068d5ee
                                                                                                                                                                                      0x0068d5d8
                                                                                                                                                                                      0x0068d5d8
                                                                                                                                                                                      0x0068d5d9
                                                                                                                                                                                      0x0068d5d9
                                                                                                                                                                                      0x0068d60c
                                                                                                                                                                                      0x0068d612
                                                                                                                                                                                      0x0068d61d
                                                                                                                                                                                      0x0068d629
                                                                                                                                                                                      0x0068d634
                                                                                                                                                                                      0x0068d635
                                                                                                                                                                                      0x0068d63a
                                                                                                                                                                                      0x0068d644
                                                                                                                                                                                      0x0068d64e
                                                                                                                                                                                      0x0068d658
                                                                                                                                                                                      0x0068d66d
                                                                                                                                                                                      0x0068d67e
                                                                                                                                                                                      0x0068d688
                                                                                                                                                                                      0x0068d68c
                                                                                                                                                                                      0x0068d68e
                                                                                                                                                                                      0x0068d690
                                                                                                                                                                                      0x0068d695
                                                                                                                                                                                      0x0068d6a7
                                                                                                                                                                                      0x0068d6b3
                                                                                                                                                                                      0x0068d6c2
                                                                                                                                                                                      0x0068d6ce
                                                                                                                                                                                      0x0068d6dd
                                                                                                                                                                                      0x0068d6e9
                                                                                                                                                                                      0x0068d6f6
                                                                                                                                                                                      0x0068d702
                                                                                                                                                                                      0x0068d709
                                                                                                                                                                                      0x0068d718
                                                                                                                                                                                      0x0068d719
                                                                                                                                                                                      0x0068d71a
                                                                                                                                                                                      0x0068d71e
                                                                                                                                                                                      0x0068d728
                                                                                                                                                                                      0x0068d73e
                                                                                                                                                                                      0x0068d74d
                                                                                                                                                                                      0x0068d75b
                                                                                                                                                                                      0x0068d75e
                                                                                                                                                                                      0x0068d77a
                                                                                                                                                                                      0x0068d77d
                                                                                                                                                                                      0x0068d781
                                                                                                                                                                                      0x0068d783
                                                                                                                                                                                      0x0068d788
                                                                                                                                                                                      0x0068d788
                                                                                                                                                                                      0x0068d79f
                                                                                                                                                                                      0x0068d7a5
                                                                                                                                                                                      0x0068d7a9
                                                                                                                                                                                      0x0068d7bd
                                                                                                                                                                                      0x0068d7bd
                                                                                                                                                                                      0x0068d7d7
                                                                                                                                                                                      0x0068d7e0
                                                                                                                                                                                      0x0068d7e9
                                                                                                                                                                                      0x0068d7f8
                                                                                                                                                                                      0x0068d7fe
                                                                                                                                                                                      0x0068d805
                                                                                                                                                                                      0x0068d811
                                                                                                                                                                                      0x0068d826
                                                                                                                                                                                      0x0068d826
                                                                                                                                                                                      0x0068d833
                                                                                                                                                                                      0x0068d83d
                                                                                                                                                                                      0x0068d844
                                                                                                                                                                                      0x0068d08e
                                                                                                                                                                                      0x0068d093
                                                                                                                                                                                      0x0068d09d
                                                                                                                                                                                      0x0068d0a4
                                                                                                                                                                                      0x0068d0a4
                                                                                                                                                                                      0x0068d040
                                                                                                                                                                                      0x0068d046
                                                                                                                                                                                      0x0068d04e
                                                                                                                                                                                      0x0068d058
                                                                                                                                                                                      0x0068d05f
                                                                                                                                                                                      0x0068d05f
                                                                                                                                                                                      0x0068cfef
                                                                                                                                                                                      0x0068cff5
                                                                                                                                                                                      0x0068cffd
                                                                                                                                                                                      0x0068d007
                                                                                                                                                                                      0x0068d00e
                                                                                                                                                                                      0x0068d00e
                                                                                                                                                                                      0x0068d8e1
                                                                                                                                                                                      0x0068d8ec

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?), ref: 0068CFE5
                                                                                                                                                                                      • LoadLibraryA.KERNEL32(?), ref: 0068CFF5
                                                                                                                                                                                      • LoadLibraryA.KERNEL32(?), ref: 0068D046
                                                                                                                                                                                      Strings
                                                                                                                                                                                      • Z:\Projects\molestudio\molebox2\bootup\mbx_DLL.cpp, xrefs: 0068D80C
                                                                                                                                                                                      • _BOX_, xrefs: 0068D62C
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: LibraryLoad$HandleModule
                                                                                                                                                                                      • String ID: Z:\Projects\molestudio\molebox2\bootup\mbx_DLL.cpp$_BOX_
                                                                                                                                                                                      • API String ID: 2593893887-309754622
                                                                                                                                                                                      • Opcode ID: da4648dc99d1403d5ddc27d0ce28bc46ec17b57caf5c8fc393bc90086174c097
                                                                                                                                                                                      • Instruction ID: e666f85545ea0885a52da9f9338d6b5da51e23b5c5618ae94186e17f17667789
                                                                                                                                                                                      • Opcode Fuzzy Hash: da4648dc99d1403d5ddc27d0ce28bc46ec17b57caf5c8fc393bc90086174c097
                                                                                                                                                                                      • Instruction Fuzzy Hash: 6D52E971E00218DFDB64DFA8D885BACBBB2FF08314F204159E519AB392DB71A991CF14
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0043CB40, Relevance: 26.7, APIs: 3, Strings: 12, Instructions: 495filewindowCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 316 43cb40-43cba6 call 404ca8 * 2 call 40690c 323 43ccc1-43ccc7 call 404890 316->323 324 43cbac-43cbc2 call 43c64c call 404ac0 316->324 328 43cccc-43ccf8 call 43c740 call 404cb8 call 407210 323->328 333 43cbc4-43cbca 324->333 334 43cbdd-43cbf6 call 42b0f4 call 42b1a0 324->334 343 43d179-43d1c0 call 40481c call 40689c call 40481c * 2 call 40689c 328->343 344 43ccfe-43cd0b 328->344 333->328 336 43cbd0-43cbd7 333->336 347 43ccb1-43ccbf call 404b0c 334->347 348 43cbfc-43cc08 call 42c174 334->348 336->328 336->334 355 43cd11-43cd28 call 407370 call 4047f8 344->355 356 43d10e-43d148 call 404b80 call 404ac0 WriteFile SetEndOfFile call 4071e8 344->356 347->328 358 43cc16-43cc9e call 404ac8 call 404e44 call 407f9c call 404cb8 * 3 call 42a540 348->358 359 43cc0a-43cc11 MessageBeep 348->359 378 43cdcf-43cddc 355->378 379 43cd2e-43cd49 call 43c818 call 404ac0 355->379 381 43d14d-43d151 356->381 358->343 435 43cca4-43ccaf call 4049f8 358->435 359->343 392 43cdee-43cdf0 378->392 393 43cdde-43cdec 378->393 403 43cdc7-43cdca call 4047f8 379->403 404 43cd4b-43cd5f call 43c818 379->404 385 43d153-43d16b call 40689c 381->385 386 43d177 381->386 385->386 415 43d16d-43d172 385->415 386->343 395 43cdf4-43cdf6 392->395 393->392 405 43cdf2 393->405 399 43ce02-43ce19 call 407218 395->399 400 43cdf8-43cdfc 395->400 407 43d100-43d109 call 4075a0 399->407 418 43ce1f-43ce3a call 407518 399->418 400->399 400->407 403->378 416 43cd61-43cd79 404->416 417 43cd7b-43cd8b 404->417 405->395 407->356 415->386 431 43cd93-43cd95 416->431 417->431 427 43ce40-43ce44 418->427 428 43d0f7-43d0fb call 4071e8 418->428 432 43d075-43d077 427->432 433 43ce4a 427->433 428->407 436 43cda1-43cda3 431->436 437 43cd97-43cd9f call 4047f8 431->437 439 43d079-43d085 call 4075a0 432->439 440 43d0ee-43d0f2 call 407600 432->440 438 43ce4d-43ce8e call 404ac0 call 404b0c call 404cb8 call 409b38 433->438 435->328 441 43cda5 436->441 442 43cda9-43cdb6 call 404e44 436->442 437->378 472 43ce94-43ceb6 call 409b38 438->472 473 43d06c-43d06f 438->473 455 43d087-43d0ab call 409b38 439->455 440->428 449 43cda7 441->449 450 43cdb8-43cdc5 call 404e44 441->450 442->378 449->378 450->378 465 43d0d3-43d0d6 455->465 466 43d0ad-43d0d1 455->466 465->440 468 43d0d8-43d0e9 call 402a18 465->468 466->455 466->465 468->440 477 43ced9 472->477 478 43ceb8-43ced7 call 409b38 472->478 473->432 473->438 480 43cedd-43cee1 477->480 478->480 480->473 482 43cee7-43cf0c call 409b38 480->482 485 43cf16 482->485 486 43cf0e-43cf14 482->486 487 43cf1a-43cf40 call 4048e8 call 43caac 485->487 486->487 487->473 492 43cf46-43cf58 call 43caac 487->492 492->473 495 43cf5e-43cf70 call 43caac 492->495 495->473 498 43cf76-43cf88 call 43caac 495->498 498->473 501 43cf8e-43cfa8 call 43c818 498->501 504 43cfda-43cfee call 43c818 501->504 505 43cfaa-43cfbc call 43caac 501->505 511 43cff0-43d00d call 404ac0 call 404cb8 call 40a5f8 504->511 512 43d00f 504->512 505->473 510 43cfc2-43cfd4 call 43caac 505->510 510->473 510->504 513 43d014-43d049 call 40a328 call 43c94c 511->513 512->513 526 43d061-43d06a 513->526 527 43d04b-43d05c call 402a18 513->527 526->432 527->526
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • MessageBeep.USER32(00000000), ref: 0043CC0C
                                                                                                                                                                                      • WriteFile.KERNEL32(00000000,005FA000,00000000,?,00000000,0043D2CC,0043D2CC,005FA000,?,00607910,?,00000001,?,0044523F,?,?), ref: 0043D13C
                                                                                                                                                                                      • SetEndOfFile.KERNEL32(00000000,00000000,005FA000,00000000,?,00000000,0043D2CC,0043D2CC,005FA000,?,00607910,?,00000001,?,0044523F), ref: 0043D142
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: File$BeepMessageWrite
                                                                                                                                                                                      • String ID: date/time$*.txt$L$callstack crc$count$current module$date/time$exception class$exec. date/time$executable$module date/time$version
                                                                                                                                                                                      • API String ID: 11317427-2501506387
                                                                                                                                                                                      • Opcode ID: 1eb0f18d477a63c87e8e264402b5eb628ba25178a4cb91791152032316d575e3
                                                                                                                                                                                      • Instruction ID: 18910f57363a15dfa1f1638d027c8fffd4cee4d2aaf38cd46e4d0b52b40285e7
                                                                                                                                                                                      • Opcode Fuzzy Hash: 1eb0f18d477a63c87e8e264402b5eb628ba25178a4cb91791152032316d575e3
                                                                                                                                                                                      • Instruction Fuzzy Hash: 3B123A70E002099FDB10EBA5D885BDEB7B5BF48318F20916AF510BB391CB78AD458B59
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042BBB8, Relevance: 24.2, APIs: 16, Instructions: 224memorysynchronizationCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 529 42bbb8-42bbee call 404ca8 * 2 534 42bbf4-42bc16 WaitForSingleObject 529->534 535 42be2c-42be49 call 4047f8 * 2 529->535 537 42bc22 534->537 538 42bc18-42bc1c 534->538 541 42bc24-42bc2f 537->541 538->537 540 42bc1e-42bc20 538->540 540->541 543 42bc34-42bc38 541->543 544 42bc3a-42bc3c 543->544 545 42bc3e-42bc47 543->545 544->545 547 42bc31 544->547 548 42bcd5-42bcd9 545->548 549 42bc4d-42bc58 545->549 547->543 552 42bdba-42bdbe 548->552 553 42bcdf-42bce3 548->553 550 42bc5a-42bc5e 549->550 551 42bc9f-42bcaa LocalSize 549->551 554 42bc60-42bc66 call 4049f8 550->554 555 42bc6b-42bc74 LocalSize 550->555 560 42bcb2-42bcc4 LocalFree LocalSize 551->560 561 42bcac-42bcaf 551->561 558 42bdc0-42bdc4 call 4071e8 552->558 559 42bdc9-42bdd3 552->559 556 42bce5-42bce9 553->556 557 42bd1e-42bd22 553->557 554->555 555->551 569 42bc76-42bc7a 555->569 567 42bceb-42bcfa call 42af40 556->567 568 42bcfc-42bd19 GetCurrentProcess * 2 DuplicateHandle 556->568 557->559 570 42bd28-42bdb8 LocalAlloc call 404ac0 LocalAlloc call 404ac0 LocalAlloc call 404ac0 call 404cb8 call 402a18 call 404ac0 call 404cb8 call 402a18 557->570 558->559 562 42bdd5-42bdde LocalSize 559->562 563 42be09-42be24 ReleaseMutex 559->563 564 42bcc6-42bcca LocalFree 560->564 565 42bccf-42bcd0 LocalFree 560->565 561->560 572 42be02-42be07 562->572 573 42bde0-42bded WaitForSingleObject 562->573 564->565 565->548 567->557 568->557 575 42bc87-42bc8b 569->575 576 42bc7c-42bc82 call 4049f8 569->576 570->559 572->562 572->563 573->572 578 42bdef-42be00 call 42bbb8 573->578 581 42bc93-42bc97 575->581 582 42bc8d-42bc90 575->582 576->575 578->563 581->551 585 42bc99-42bc9c 581->585 582->581 585->551
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF,00000000,0042BE4A,?,?,?), ref: 0042BBFF
                                                                                                                                                                                      • LocalSize.KERNEL32(00000000), ref: 0042BC6C
                                                                                                                                                                                      • LocalSize.KERNEL32(00000000), ref: 0042BCA2
                                                                                                                                                                                      • LocalFree.KERNEL32(?,00000000,00000000,0042BE25,?,?,000000FF,00000000,0042BE4A,?,?,?), ref: 0042BCB6
                                                                                                                                                                                      • LocalSize.KERNEL32(00000000), ref: 0042BCBC
                                                                                                                                                                                      • LocalFree.KERNEL32(?,00000000,?,00000000,00000000,0042BE25,?,?,000000FF,00000000,0042BE4A,?,?,?), ref: 0042BCCA
                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,00000000,?,00000000,00000000,0042BE25,?,?,000000FF,00000000,0042BE4A,?,?,?), ref: 0042BCD0
                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000000,00100040,00000000,00000000,00000000,0042BE25,?,?,000000FF,00000000,0042BE4A,?,?,?), ref: 0042BD09
                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00100040,00000000,00000000,00000000,0042BE25,?,?,000000FF,00000000,0042BE4A,?,?,?), ref: 0042BD13
                                                                                                                                                                                      • DuplicateHandle.KERNEL32(00000000,00000000,00000000,00000000,00100040,00000000,00000000,00000000,0042BE25,?,?,000000FF,00000000,0042BE4A), ref: 0042BD19
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,0000001C,00000000,0042BE25,?,?,000000FF,00000000,0042BE4A,?,?,?), ref: 0042BD2C
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000001,00000040,0000001C,00000000,0042BE25,?,?,000000FF,00000000,0042BE4A,?,?,?), ref: 0042BD47
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000001,00000040,00000001,00000040,0000001C,00000000,0042BE25,?,?,000000FF,00000000,0042BE4A,?,?,?), ref: 0042BD5B
                                                                                                                                                                                      • LocalSize.KERNEL32(?), ref: 0042BDD6
                                                                                                                                                                                      • WaitForSingleObject.KERNEL32(?,00000000,00000000,0042BE25,?,?,000000FF,00000000,0042BE4A,?,?,?), ref: 0042BDE6
                                                                                                                                                                                      • ReleaseMutex.KERNEL32(?,0042BE2C,?,000000FF,00000000,0042BE4A,?,?,?), ref: 0042BE1F
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Local$Size$AllocFree$CurrentObjectProcessSingleWait$DuplicateHandleMutexRelease
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3731575727-0
                                                                                                                                                                                      • Opcode ID: 4a226d10be0e5689b1222903dcaf70f5f0f81611f2656b9764e077457acd03bb
                                                                                                                                                                                      • Instruction ID: d6b240295f11a497515275c30289a92550d1acdd33eb2583c7e21f5f3cc04d6d
                                                                                                                                                                                      • Opcode Fuzzy Hash: 4a226d10be0e5689b1222903dcaf70f5f0f81611f2656b9764e077457acd03bb
                                                                                                                                                                                      • Instruction Fuzzy Hash: 7B81AC70A042149FDB10EF69D881BAE77A4EB45304F91846BF914EB392CB7CEC40DB99
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042E7FC, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 124windowCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0042E734: GetCurrentProcessId.KERNEL32(?,00000000,0042E7BA,?,00000000), ref: 0042E760
                                                                                                                                                                                        • Part of subcall function 0042E734: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,?,00000000,0042E7BA,?,00000000), ref: 0042E79A
                                                                                                                                                                                        • Part of subcall function 0042B7EC: InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,0042E75C,00000000,0042E7BA,?,00000000), ref: 0042B800
                                                                                                                                                                                        • Part of subcall function 0042B7EC: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000,?,00000001,00000000,0042E75C,00000000,0042E7BA,?,00000000), ref: 0042B80C
                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(iB,00000000,0042E970,?,00000000,0042E992,?,00000000,00000000), ref: 0042E856
                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(0042EBD3,000000FF,?,00000004,00000000,00000028,00000000,iB,00000000,0042E970,?,00000000,0042E992,?,00000000,00000000), ref: 0042E89B
                                                                                                                                                                                      • OpenFileMappingA.KERNEL32(00000004,00000000,00000000), ref: 0042E8C9
                                                                                                                                                                                      • GetLastError.KERNEL32(000000FF,?,00000004,00000000,00000028,00000000,iB,00000000,0042E970,?,00000000,0042E992,?,00000000,00000000), ref: 0042E8D0
                                                                                                                                                                                      • InitializeCriticalSection.KERNEL32(00000008,00000000,000F001F,00000000,00000000,00000000,000000FF,?,00000004,00000000,00000028,00000000,iB,00000000,0042E970), ref: 0042E8F7
                                                                                                                                                                                      • MessageBoxA.USER32 ref: 0042E937
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CurrentProcess$DescriptorInitializeSecurity$CriticalDaclErrorFileLastMappingMessageObjectOpenSectionSingleWait
                                                                                                                                                                                      • String ID: internal error (opening settings buffer)$iB$madExcept$madExceptSettingsBuf
                                                                                                                                                                                      • API String ID: 554259201-2004705281
                                                                                                                                                                                      • Opcode ID: a520201da86c91544155b15d6c37748c60bf330ee783afdcec5c649b1b573081
                                                                                                                                                                                      • Instruction ID: da4038013f2275a688a9166b5df66bba4f7b57255cf10e0123217100ce2034d4
                                                                                                                                                                                      • Opcode Fuzzy Hash: a520201da86c91544155b15d6c37748c60bf330ee783afdcec5c649b1b573081
                                                                                                                                                                                      • Instruction Fuzzy Hash: 024185B0B443186EEB50EBA2DC42BAE77A8DB45704F904037F904FB2D2D678A845C769
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0044D104, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 281COMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 811 44d104-44d157 call 405280 814 44d164-44d16b 811->814 815 44d159-44d162 811->815 816 44d19d-44d1a7 814->816 817 44d16d-44d184 814->817 815->814 815->815 820 44d1b0-44d1b8 816->820 821 44d1a9-44d1ae 816->821 818 44d186 817->818 819 44d189-44d191 817->819 818->819 819->816 822 44d1e2-44d1ee call 4047f8 820->822 823 44d1ba-44d1c8 call 411c84 820->823 821->820 828 44d434-44d4a2 call 402810 call 40481c call 405350 822->828 829 44d1f4-44d20b call 413288 822->829 823->822 830 44d1ca-44d1d8 823->830 829->828 837 44d211-44d21e call 413288 829->837 830->822 832 44d1da-44d1df 830->832 832->822 841 44d223-44d225 837->841 841->828 843 44d22b-44d22f 841->843 845 44d23b-44d23f 843->845 846 44d275-44d278 845->846 847 44d241-44d244 845->847 846->828 848 44d27e-44d294 call 413288 846->848 847->846 849 44d246-44d25d call 413288 847->849 848->828 854 44d29a-44d2ae call 413288 848->854 849->846 855 44d25f-44d273 call 413288 849->855 854->828 861 44d2b4-44d2c6 call 4030f4 854->861 855->846 860 44d231-44d23a 855->860 860->845 861->828 864 44d2cc-44d305 call 40389c call 404a64 861->864 864->828 869 44d30b-44d362 call 42b7ec GetCurrentProcessId call 40a4a8 call 404b0c call 404cb8 call 407228 864->869 869->828 880 44d368-44d397 WaitForSingleObject 869->880 881 44d3f8-44d40e ReleaseMutex 880->881 882 44d399-44d3e4 VirtualAlloc VirtualProtect 880->882 882->881 883 44d3e6-44d3f3 VirtualProtect 882->883 883->881
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: HookTThread
                                                                                                                                                                                      • API String ID: 0-2037367185
                                                                                                                                                                                      • Opcode ID: e1fdaf9d850482807fc1daf5cb6f884ab94907e5e8a63f21838e3e4fa89be6f0
                                                                                                                                                                                      • Instruction ID: 257c7332132ed0e3c505c4f8848fd13293e0eaeb4dd07e62c6439ac82330cc6c
                                                                                                                                                                                      • Opcode Fuzzy Hash: e1fdaf9d850482807fc1daf5cb6f884ab94907e5e8a63f21838e3e4fa89be6f0
                                                                                                                                                                                      • Instruction Fuzzy Hash: 8DB16E74A003099FEB10DF98C981B9EB7F5FB49304F5085AAE904AB391D778EE00CB59
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0040BA70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102synchronizationthreadCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040BAA4
                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040BAC9
                                                                                                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,00000000,?,?,00000000,0040BCD6), ref: 0040BB1A
                                                                                                                                                                                      • ReleaseMutex.KERNEL32(00000254,0040BBA7,00000254,000000FF,?,?,00000000,0040BCD6), ref: 0040BB9A
                                                                                                                                                                                      Strings
                                                                                                                                                                                      • madToolsMsgHandlerMutex, xrefs: 0040BAF5
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CurrentThread$MutexObjectReleaseSingleWait
                                                                                                                                                                                      • String ID: madToolsMsgHandlerMutex
                                                                                                                                                                                      • API String ID: 1965185967-871761905
                                                                                                                                                                                      • Opcode ID: 8ed3e69b6226cc78c455cf8802a566c56ef72f02d277f8ca137b0fce9a4b788a
                                                                                                                                                                                      • Instruction ID: fe342fcf527ea9f240c8836f89e6d0c6354684a447f5bd7ae9f93aad867db536
                                                                                                                                                                                      • Opcode Fuzzy Hash: 8ed3e69b6226cc78c455cf8802a566c56ef72f02d277f8ca137b0fce9a4b788a
                                                                                                                                                                                      • Instruction Fuzzy Hash: AF317370E046099FDB14DFA5D841A9EB7B5EB44314F20453BF501B36D1EB3CA901CB99
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042B538, Relevance: 9.1, APIs: 6, Instructions: 93registrymemoryCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,B70F0B02,00000000,0042B631,B70F0B0E,B70F0B7E,00000000,B70F0B52), ref: 0042B586
                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,B70F0AFE,80000002,00000000,00000000,00020019,B70F0B02,00000000,0042B631,B70F0B0E,B70F0B7E,00000000), ref: 0042B5B1
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,?,?,00000000,00000000,00000000,00000000,B70F0AFE,80000002,00000000,00000000,00020019,B70F0B02,00000000,0042B631,B70F0B0E), ref: 0042B5CA
                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,00000000,B70F0AFA,00000000,B70F0AFE,00000040,?,?,00000000,00000000,00000000,00000000,B70F0AFE,80000002,00000000), ref: 0042B5E1
                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,?,00000000,00000000,B70F0AFA,00000000,B70F0AFE,00000040,?,?,00000000,00000000,00000000,00000000,B70F0AFE,80000002), ref: 0042B608
                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,00000000,B70F0AFE,80000002,00000000,00000000,00020019,B70F0B02,00000000,0042B631,B70F0B0E,B70F0B7E), ref: 0042B611
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: LocalQueryValue$AllocCloseFreeOpen
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2658220197-0
                                                                                                                                                                                      • Opcode ID: bf02f7612466c9e8f32361abed7e9996a425ed45ba3dead381128bebe0d80cec
                                                                                                                                                                                      • Instruction ID: 6859c7db8b85a69f2b8661d8d1a4f3d77e14a9803ae17eaa1c19ae849fdc0f3c
                                                                                                                                                                                      • Opcode Fuzzy Hash: bf02f7612466c9e8f32361abed7e9996a425ed45ba3dead381128bebe0d80cec
                                                                                                                                                                                      • Instruction Fuzzy Hash: E831F171A04618ABDB10EBA9CC42FAFB7BCEB45704F51447AF510F7281D778AE0186A9
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0044CD40, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105memoryCOMMON
                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                      • Executed
                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                      control_flow_graph 938 44cd40-44cd7a call 404ca8 * 2 943 44cd80-44cd9c call 404cb8 GetModuleHandleA call 40c358 938->943 944 44ce3c 938->944 954 44cdb0 943->954 955 44cd9e-44cda3 943->955 945 44ce40-44ce68 call 4061b0 call 40481c 944->945 957 44cdb2-44cdbf GetModuleHandleA 954->957 955->954 956 44cda5-44cdae 955->956 956->957 958 44cdc1-44cdc8 957->958 959 44cdca-44cdda call 42b860 call 42bb28 957->959 958->959 960 44cde1-44cdeb call 42ba90 958->960 966 44cddf 959->966 965 44cdf0-44cdf2 960->965 967 44cdf4-44cdfd 965->967 968 44cdff-44ce01 965->968 966->965 967->968 969 44ce03 967->969 970 44ce05-44ce0c 968->970 969->970 970->945 971 44ce0e-44ce23 VirtualProtect 970->971 971->945 972 44ce25-44ce3a VirtualProtect 971->972 972->945
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,0044CE69,?,00607910,?,00000000), ref: 0044CD89
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0044CE69,?,00607910,?,00000000), ref: 0044CDB4
                                                                                                                                                                                      • VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,00000000,00000000,00000000,0044CE69,?,00607910,?,00000000), ref: 0044CE1C
                                                                                                                                                                                      • VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000004,00000040,00000000,00000000,00000000,00000000,0044CE69,?,00607910,?,00000000), ref: 0044CE35
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: HandleModuleProtectVirtual
                                                                                                                                                                                      • String ID: !C
                                                                                                                                                                                      • API String ID: 2905821283-2273022293
                                                                                                                                                                                      • Opcode ID: 823d2def3dfe38cf0d3559db27a30464038f2560d5a252c8d47c5cb453a390d3
                                                                                                                                                                                      • Instruction ID: ff46dd5658acbbf5915d3a5d748e236adb0f6a72f854b0dd3d621a91f42b4c47
                                                                                                                                                                                      • Opcode Fuzzy Hash: 823d2def3dfe38cf0d3559db27a30464038f2560d5a252c8d47c5cb453a390d3
                                                                                                                                                                                      • Instruction Fuzzy Hash: 833189B0A052059FE750EF65C8C2AAF77B9EF44304F68447BE504A7391D738AD40C7A9
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00445E06, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 59memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 00406F48: TlsGetValue.KERNEL32(00000000,00000000,00402919,0044C559,0044C57F,00000002,00000002,004046EA,?,?,?,00000002,0040476E,0040292B,00402973,?), ref: 00406F6D
                                                                                                                                                                                      • VirtualAlloc.KERNEL32(00000000,MZP,00002000,00000001), ref: 00445E92
                                                                                                                                                                                      • VirtualAlloc.KERNEL32(00000000,00080000,00001000,00000001,00000000,MZP,00002000,00000001), ref: 00445EA7
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: AllocVirtual$Value
                                                                                                                                                                                      • String ID: Exception$MZP$MadException
                                                                                                                                                                                      • API String ID: 2246243222-780510357
                                                                                                                                                                                      • Opcode ID: b181a9dd44e3c2901ded53e41ab4c51f377af85fc3cad8b46c14d01381f35372
                                                                                                                                                                                      • Instruction ID: c30187c4c35a2d6bb8d9d179fddccb91e4ab54fdf2fd8e94e9ea0ccf747e5fc3
                                                                                                                                                                                      • Opcode Fuzzy Hash: b181a9dd44e3c2901ded53e41ab4c51f377af85fc3cad8b46c14d01381f35372
                                                                                                                                                                                      • Instruction Fuzzy Hash: 2011C431A447005BFF10AB55AC457AE77A1EB41309F708077E5007A2D3C7785985CB1D
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042B298, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetTempPathA.KERNEL32(00000104,?,00000000,0042B3AF,?,00000000,?,0042B413,00000000,0042B4EC,?,00000000,?,00445565,00000000,00445959), ref: 0042B2D2
                                                                                                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000,00000104,?,00000000,0042B3AF,?,00000000,?,0042B413,00000000,0042B4EC,?,00000000,?,00445565), ref: 0042B304
                                                                                                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000,.madExcept,00000000,00000000,00000000,00000000,00000104,?,00000000,0042B3AF,?,00000000,?,0042B413,00000000), ref: 0042B377
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CreateDirectory$PathTemp
                                                                                                                                                                                      • String ID: .madExcept
                                                                                                                                                                                      • API String ID: 4115145201-4117059601
                                                                                                                                                                                      • Opcode ID: cc4b2660333bb64770f1fbddf82e4c89239d9fe482af86b4f4ab4989cb3b0a4b
                                                                                                                                                                                      • Instruction ID: 8545504f5cafbf501c3a94ccd68d6b60dd0597ad2c614c7baf41d4dca6efa616
                                                                                                                                                                                      • Opcode Fuzzy Hash: cc4b2660333bb64770f1fbddf82e4c89239d9fe482af86b4f4ab4989cb3b0a4b
                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E21EA70B046284BDB11FB6ADC42BDA73A5EF84304F4185FAB604E7296D7BC5D408EDA
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068CC49, Relevance: 6.0, APIs: 4, Instructions: 46libraryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 100%
                                                                                                                                                                                      			E0068CC49(CHAR* __ecx, signed int __edx) {
				struct HINSTANCE__* _v8;
				intOrPtr _v12;
				CHAR* _v16;
				CHAR* _v20;
				CHAR* _v24;
				signed int _v28;
				struct HINSTANCE__* _t25;

				_v28 = __edx;
				_v24 = __ecx;
				_t36 = _v24;
				_v12 = E0068AC70(_v24);
				_v8 = _v8 & 0x00000000;
				if(_v12 == 0) {
					_t25 = GetModuleHandleA(_v24); // executed
					_v8 = _t25;
				} else {
					_v16 = E0068EDF2(_t36, _v12, 0, 0);
					_v8 = GetModuleHandleA(_v16);
					if(_v8 != 0 && (_v28 & 0x000000ff) != 0) {
						LoadLibraryA(_v16);
					}
					_v20 = _v16;
					E0068E77C(_v16, _t36, _v20);
				}
				if(_v8 != 0 && (_v28 & 0x000000ff) != 0) {
					LoadLibraryA(_v24);
				}
				return _v8;
			}










                                                                                                                                                                                      0x0068cc4f
                                                                                                                                                                                      0x0068cc52
                                                                                                                                                                                      0x0068cc55
                                                                                                                                                                                      0x0068cc5d
                                                                                                                                                                                      0x0068cc60
                                                                                                                                                                                      0x0068cc68
                                                                                                                                                                                      0x0068ccb3
                                                                                                                                                                                      0x0068ccb9
                                                                                                                                                                                      0x0068cc6a
                                                                                                                                                                                      0x0068cc79
                                                                                                                                                                                      0x0068cc85
                                                                                                                                                                                      0x0068cc8c
                                                                                                                                                                                      0x0068cc99
                                                                                                                                                                                      0x0068cc99
                                                                                                                                                                                      0x0068cca2
                                                                                                                                                                                      0x0068cca8
                                                                                                                                                                                      0x0068ccad
                                                                                                                                                                                      0x0068ccc0
                                                                                                                                                                                      0x0068cccd
                                                                                                                                                                                      0x0068cccd
                                                                                                                                                                                      0x0068ccd7

                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0068AC70: EnterCriticalSection.KERNEL32(00695AC8,?,?,?,?,?,?,?,?,Function_0029052C,00693478,000000FF,?,0068F9AA), ref: 0068AC9C
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?), ref: 0068CC7F
                                                                                                                                                                                      • LoadLibraryA.KERNEL32(?), ref: 0068CC99
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?), ref: 0068CCB3
                                                                                                                                                                                      • LoadLibraryA.KERNEL32(?), ref: 0068CCCD
                                                                                                                                                                                        • Part of subcall function 0068EDF2: GetCurrentProcessId.KERNEL32(?,?,00000084,00000000,?,?,?,00000084), ref: 0068EE33
                                                                                                                                                                                        • Part of subcall function 0068EDF2: GetTempPathA.KERNEL32(00000104,?,?,?,00000084,00000000), ref: 0068EE84
                                                                                                                                                                                        • Part of subcall function 0068EDF2: wsprintfA.USER32 ref: 0068EEC1
                                                                                                                                                                                        • Part of subcall function 0068EDF2: CharUpperBuffA.USER32(?,?,?,?,?,00000000), ref: 0068EF30
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: HandleLibraryLoadModule$BuffCharCriticalCurrentEnterPathProcessSectionTempUpperwsprintf
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1923938400-0
                                                                                                                                                                                      • Opcode ID: e71030d6a5497bb88893ae912dc83edeb75a129aa74f9f646caf54842b0df8f1
                                                                                                                                                                                      • Instruction ID: 71fdec293fb8c4bfce11d602fc4927831e8d949268da22b6056efdc29f582a97
                                                                                                                                                                                      • Opcode Fuzzy Hash: e71030d6a5497bb88893ae912dc83edeb75a129aa74f9f646caf54842b0df8f1
                                                                                                                                                                                      • Instruction Fuzzy Hash: 7211E870D00219EFDF01EFA4D94A7EEBBB2AF04305F2441AAE905B22A0D7754B44EB65
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0041DF38, Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 551COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041E5E3), ref: 0041E03A
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: QueryVirtual
                                                                                                                                                                                      • String ID: .@label
                                                                                                                                                                                      • API String ID: 1804819252-3308466214
                                                                                                                                                                                      • Opcode ID: 2d00f4d4f3f8d2acd00cf580fe62dc4249a1565ca2ec6cbeaa7ccbda53d22733
                                                                                                                                                                                      • Instruction ID: b6aa43c323a2d9ee4fd032c1343f607a5ad3f8d45021b6cfd8238ba65d8a6d78
                                                                                                                                                                                      • Opcode Fuzzy Hash: 2d00f4d4f3f8d2acd00cf580fe62dc4249a1565ca2ec6cbeaa7ccbda53d22733
                                                                                                                                                                                      • Instruction Fuzzy Hash: 81320938A00119AFDB10CF99C584ADEF7F2EB48314F148296ED65AB391D735EE82CB54
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00445514, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 388COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0042B7A8: GetSystemTime.KERNEL32(?), ref: 0042B7B0
                                                                                                                                                                                        • Part of subcall function 0042B7A8: SystemTimeToFileTime.KERNEL32(?,?,?), ref: 0042B7BF
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000000,004459C7,?,00607910,?,00000001,00000000,00000000,?,00445DEA,00000000,00445DFF,?,00000000), ref: 00445667
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000000,004459C7,?,00607910,?,00000001,00000000,00000000,?,00445DEA,00000000,00445DFF,?,00000000), ref: 00445928
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Time$HandleModuleSystem$File
                                                                                                                                                                                      • String ID: L``
                                                                                                                                                                                      • API String ID: 2120564603-2928584521
                                                                                                                                                                                      • Opcode ID: cbff622dcd44a12daf0b9a744282855d55bb2be5f41cd0848966678035b5d74f
                                                                                                                                                                                      • Instruction ID: a840bb8cfa6292c94e8e0f3eaf7b9b38367b5677d3645b92f19b78ba6421e353
                                                                                                                                                                                      • Opcode Fuzzy Hash: cbff622dcd44a12daf0b9a744282855d55bb2be5f41cd0848966678035b5d74f
                                                                                                                                                                                      • Instruction Fuzzy Hash: CAF19375A005099FEF05EF64C885BAFB7B5BF49304F1444A6E801EB352CB39AC49CB65
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0044B7D0, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 273threadCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0044B8C4
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CurrentThread
                                                                                                                                                                                      • String ID: MEIPLWAIT$]D
                                                                                                                                                                                      • API String ID: 2882836952-1307493707
                                                                                                                                                                                      • Opcode ID: 225068fc343198fa1a3f5d7854d288bff23d04418a85acb2c0ee15c7a67f7674
                                                                                                                                                                                      • Instruction ID: 007d807557b1ed4a6e7e226e4934860683cbe023119fb3f531fc7f1a89dd843a
                                                                                                                                                                                      • Opcode Fuzzy Hash: 225068fc343198fa1a3f5d7854d288bff23d04418a85acb2c0ee15c7a67f7674
                                                                                                                                                                                      • Instruction Fuzzy Hash: 81D12B74A01249CFDB01DFA5C484ADEBBF4FF49300F14866AE855A7352DB34AA09CFA5
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042B3DC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73fileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0042B298: GetTempPathA.KERNEL32(00000104,?,00000000,0042B3AF,?,00000000,?,0042B413,00000000,0042B4EC,?,00000000,?,00445565,00000000,00445959), ref: 0042B2D2
                                                                                                                                                                                        • Part of subcall function 0042B298: CreateDirectoryA.KERNEL32(00000000,00000000,00000104,?,00000000,0042B3AF,?,00000000,?,0042B413,00000000,0042B4EC,?,00000000,?,00445565), ref: 0042B304
                                                                                                                                                                                        • Part of subcall function 0042B298: CreateDirectoryA.KERNEL32(00000000,00000000,.madExcept,00000000,00000000,00000000,00000000,00000104,?,00000000,0042B3AF,?,00000000,?,0042B413,00000000), ref: 0042B377
                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000,00000000,?,00000000,00000000,0042B4EC,?,00000000,?,00445565,00000000,00445959,?,00000000,004459C7), ref: 0042B49C
                                                                                                                                                                                      • RemoveDirectoryA.KERNEL32(00000000,00000000,?,00000000,00000000,0042B4EC,?,00000000,?,00445565,00000000,00445959,?,00000000,004459C7), ref: 0042B4C1
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Directory$Create$DeleteFilePathRemoveTemp
                                                                                                                                                                                      • String ID: *.*
                                                                                                                                                                                      • API String ID: 3054484020-438819550
                                                                                                                                                                                      • Opcode ID: 38acbbfe2dad81fa4f0d5bb28cb9c31980f1c460fce39b7f49c8c90bc52db486
                                                                                                                                                                                      • Instruction ID: 3bb982c470f4826b224a914d441a47320608998997b66cf73dfb0e43ecddcc83
                                                                                                                                                                                      • Opcode Fuzzy Hash: 38acbbfe2dad81fa4f0d5bb28cb9c31980f1c460fce39b7f49c8c90bc52db486
                                                                                                                                                                                      • Instruction Fuzzy Hash: 3D2146709042189BDB21FBB5DD82ACD73BCEF84304F5145FBA508B3291D738AF408A99
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042E734, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0042B7EC: InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,0042E75C,00000000,0042E7BA,?,00000000), ref: 0042B800
                                                                                                                                                                                        • Part of subcall function 0042B7EC: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000,?,00000001,00000000,0042E75C,00000000,0042E7BA,?,00000000), ref: 0042B80C
                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,00000000,0042E7BA,?,00000000), ref: 0042E760
                                                                                                                                                                                        • Part of subcall function 00407228: CreateMutexA.KERNEL32(?,00000001,00000000,?,0042E795,?,00000000,00000000,?,00000000), ref: 0040723E
                                                                                                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,?,00000000,0042E7BA,?,00000000), ref: 0042E79A
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: DescriptorSecurity$CreateCurrentDaclInitializeMutexObjectProcessSingleWait
                                                                                                                                                                                      • String ID: madExceptSettingsMtx
                                                                                                                                                                                      • API String ID: 4044464308-1171596302
                                                                                                                                                                                      • Opcode ID: 9da93b2762564384b9277dde863ff2affea87f86339b02dc9e6efabc7588dfaf
                                                                                                                                                                                      • Instruction ID: 7b954b84e48ebc55d65c66ee1d67c04018e802b04cb816e60fec0271a34340d0
                                                                                                                                                                                      • Opcode Fuzzy Hash: 9da93b2762564384b9277dde863ff2affea87f86339b02dc9e6efabc7588dfaf
                                                                                                                                                                                      • Instruction Fuzzy Hash: 06017575A042085FDB00EBA1DC42ADEB7FDEB88324FA15576F500F36C1E678A9018779
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004459E8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39threadwindowCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • SetEvent.KERNEL32(00000000,00000244,?,00000038,?,00000000), ref: 00445A07
                                                                                                                                                                                      • PostThreadMessageA.USER32(?,00000000,00000000,00000000), ref: 00445A16
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: EventMessagePostThread
                                                                                                                                                                                      • String ID: 8
                                                                                                                                                                                      • API String ID: 1782233976-4194326291
                                                                                                                                                                                      • Opcode ID: b80c9a64874ae66bca59b211ec96854c9e1dd56ce23d5fed54cde740addce6f3
                                                                                                                                                                                      • Instruction ID: 60e4305173173cd49b4e970cbd2ef2269c8d3a1f0e719f632e354009eb1325c5
                                                                                                                                                                                      • Opcode Fuzzy Hash: b80c9a64874ae66bca59b211ec96854c9e1dd56ce23d5fed54cde740addce6f3
                                                                                                                                                                                      • Instruction Fuzzy Hash: 39F09671A45704BBEF20AA989C81FA6B39C9F14719F10412BB640F71C1D578AE04C7A9
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00407FD4, Relevance: 4.5, APIs: 3, Instructions: 7COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GlobalHandle.KERNEL32(05670000), ref: 00407FD5
                                                                                                                                                                                      • GlobalUnWire.KERNEL32(00000000), ref: 00407FDC
                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00407FE1
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Global$FreeHandleWire
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 318822183-0
                                                                                                                                                                                      • Opcode ID: 8b7d0559a3996ec09ec824293fdabe7fa11b13e18af1fe3f495c58ff44d9003d
                                                                                                                                                                                      • Instruction ID: bf9ce320df3e29915c632ed3740557683694ac663be51e849438fec4080994a9
                                                                                                                                                                                      • Opcode Fuzzy Hash: 8b7d0559a3996ec09ec824293fdabe7fa11b13e18af1fe3f495c58ff44d9003d
                                                                                                                                                                                      • Instruction Fuzzy Hash: 13A00188C5821464D84072BA1C0A86E180C58952493C0486A3804F2083C83CA800007B
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00411714, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 436COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualQuery.KERNEL32(?,?,0000001C,00000000,00411C5C,?,00607910,?,?,?,00411C9E,?,00000000,00000000,00000000,00000000), ref: 004117AD
                                                                                                                                                                                        • Part of subcall function 0040ADE4: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0040AFAA,?,00607910,?,00000057,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040AE39
                                                                                                                                                                                        • Part of subcall function 0040ADE4: LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,0040AFAA,?,00607910,?,00000057,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040AE7C
                                                                                                                                                                                        • Part of subcall function 0040ADE4: FormatMessageA.KERNEL32(00001300,?,00000057,00000400,?,00000000,00000000,00000000,0040AF88,?,00000000,0040AFAA,?,00607910,?,00000057), ref: 0040AEB8
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FormatHandleLibraryLoadMessageModuleQueryVirtual
                                                                                                                                                                                      • String ID: Invalid code!
                                                                                                                                                                                      • API String ID: 2076662300-2012297025
                                                                                                                                                                                      • Opcode ID: e482bc16bac8d38ba19a9bc9e7add6f2b2e43ab29b4ccccc5e87141ef22cdf34
                                                                                                                                                                                      • Instruction ID: 16d86ae259adae00bd4f68fe0685beef84222829119c83ed3b0625fc1cfda91e
                                                                                                                                                                                      • Opcode Fuzzy Hash: e482bc16bac8d38ba19a9bc9e7add6f2b2e43ab29b4ccccc5e87141ef22cdf34
                                                                                                                                                                                      • Instruction Fuzzy Hash: 3F125F74A042089FDB14DF58C484BDE7BB1AF48354F24815AE948AB362D778EDC5CB98
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0040BD30, Relevance: 3.1, APIs: 2, Instructions: 137synchronizationCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0040BA70: GetCurrentThreadId.KERNEL32 ref: 0040BAA4
                                                                                                                                                                                        • Part of subcall function 0040BA70: GetCurrentThreadId.KERNEL32 ref: 0040BAC9
                                                                                                                                                                                        • Part of subcall function 0040BA70: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,00000000,?,?,00000000,0040BCD6), ref: 0040BB1A
                                                                                                                                                                                        • Part of subcall function 0040BA70: ReleaseMutex.KERNEL32(00000254,0040BBA7,00000254,000000FF,?,?,00000000,0040BCD6), ref: 0040BB9A
                                                                                                                                                                                      • WaitForSingleObject.KERNEL32(00000254,000000FF), ref: 0040BD5D
                                                                                                                                                                                      • ReleaseMutex.KERNEL32(00000254,0040BEC1,000000FF), ref: 0040BEB4
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CurrentMutexObjectReleaseSingleThreadWait
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1076790184-0
                                                                                                                                                                                      • Opcode ID: 89297451507f07dcf8eaf58e5594dad6d85aebe9236f5563888d47c66c82219e
                                                                                                                                                                                      • Instruction ID: 579d800f2869a0263043deeba4abc94f4de9e2a2d8fa18d9af92c5b0c38e4d47
                                                                                                                                                                                      • Opcode Fuzzy Hash: 89297451507f07dcf8eaf58e5594dad6d85aebe9236f5563888d47c66c82219e
                                                                                                                                                                                      • Instruction Fuzzy Hash: 39517C34A0460A9FCB20DF59C880AAAB7F5FB44314F20857AE959E7391D738ED41CBD9
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00446D24, Relevance: 3.1, APIs: 2, Instructions: 102memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualProtect.KERNEL32(00000000,00000005,00000040,?,00000000,00446E3A,?,00000000,00446E5F,?,?,?,00000000), ref: 00446DB4
                                                                                                                                                                                      • VirtualProtect.KERNEL32(00000000,00000005,?,?,00000000,00000005,00000040,?,00000000,00446E3A,?,00000000,00446E5F,?,?,?), ref: 00446DD2
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 544645111-0
                                                                                                                                                                                      • Opcode ID: 99e25ed52c6ed30910fad9794e1e076a0bddda4515bc965695daf80b8b161200
                                                                                                                                                                                      • Instruction ID: f992cece7b299cab000ee85b8685c0d3137a80a7fa10af5c3e1d9bafaf83ae76
                                                                                                                                                                                      • Opcode Fuzzy Hash: 99e25ed52c6ed30910fad9794e1e076a0bddda4515bc965695daf80b8b161200
                                                                                                                                                                                      • Instruction Fuzzy Hash: DB31B875B04144AFD710EFA9D88196E77E9EBC9304F62447AE504E3391DB38AE018B59
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0041C45C, Relevance: 3.1, APIs: 2, Instructions: 94COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualQuery.KERNEL32(00000000,?,0000001C,00000000,0041C57B,?,00000000,0041C5B9,?,00607910,?,00000001,?,0042D872,00000000,0042D8D8), ref: 0041C4A8
                                                                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C4E6
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FileModuleNameQueryVirtual
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2827130835-0
                                                                                                                                                                                      • Opcode ID: d000792ce3c85d2ffbda417df055203851c8f9ad904e7fbe6177e54e40bcb824
                                                                                                                                                                                      • Instruction ID: ebb318006cec01f31196544383172026961fcb11b34d1f3298ffab88241147db
                                                                                                                                                                                      • Opcode Fuzzy Hash: d000792ce3c85d2ffbda417df055203851c8f9ad904e7fbe6177e54e40bcb824
                                                                                                                                                                                      • Instruction Fuzzy Hash: D731F770640214ABDB21DA65CCD1BEB73EEDB4D304F4040BBF64492691DA78ADC08E58
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0044D4D0, Relevance: 3.1, APIs: 2, Instructions: 61threadCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • CreateThread.KERNEL32(?,?,Function_0004CFA0,?,?,?), ref: 0044D523
                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0044D540
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Thread$CreateCurrent
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1518938775-0
                                                                                                                                                                                      • Opcode ID: cbee45395a4d4fc12741492b771b45ca5d03ae8d013116a14cab34c15e4aa9b9
                                                                                                                                                                                      • Instruction ID: 1d2351ab5d38bec11989de91c60cb1f3812a521254a55c93cb931a4661809088
                                                                                                                                                                                      • Opcode Fuzzy Hash: cbee45395a4d4fc12741492b771b45ca5d03ae8d013116a14cab34c15e4aa9b9
                                                                                                                                                                                      • Instruction Fuzzy Hash: 3A11C8B6A04219BFDB41DF99DC91E9FB7FCEB4C304B514466B915E3240DA38EA048BA4
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00413288, Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,00000000,00000004,?,?,?,00000000), ref: 004132D6
                                                                                                                                                                                      • ReadProcessMemory.KERNEL32(00000000,?,00000000,00000004,?,?,?,00000000), ref: 004132DC
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Process$CurrentMemoryRead
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 267060218-0
                                                                                                                                                                                      • Opcode ID: 0f8f438bcd480190302ec1ef4d735d2650f217d0d13f8c2afa17ba847d6ad4fd
                                                                                                                                                                                      • Instruction ID: 0ba8ceb97ae1fa9dbf94b0f3ed7a690fc105c03b9b89c93d604d5ea7d0fbfc80
                                                                                                                                                                                      • Opcode Fuzzy Hash: 0f8f438bcd480190302ec1ef4d735d2650f217d0d13f8c2afa17ba847d6ad4fd
                                                                                                                                                                                      • Instruction Fuzzy Hash: AE012071708104AB9710EE9E5C416EBB7DCAB94311B14007BB804D3341DB39DF85D26D
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068C930, Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 75%
                                                                                                                                                                                      			E0068C930(void* _a4) {
				intOrPtr _v8;
				void* _v12;
				long _v16;
				long _v20;
				void* _t14;
				void* _t15;
				int _t18;

				_v8 = 0;
				if( *0x69a030 == 0) {
					E0068E6E1(_t14, 0xef00000a);
				}
				_t15 = _a4;
				0x690235( *_t15);
				_v12 = _t15;
				if(_v12 != 0) {
					_t18 = VirtualProtect(_a4, 4, 4,  &_v20); // executed
					if(_t18 == 0) {
						E0068E6E1(_t18, 0xef00000b);
					}
					 *_a4 =  *_v12;
					VirtualProtect(_a4, 4, _v20,  &_v16); // executed
					_v8 = 1;
				}
				return _v8;
			}










                                                                                                                                                                                      0x0068c936
                                                                                                                                                                                      0x0068c944
                                                                                                                                                                                      0x0068c94b
                                                                                                                                                                                      0x0068c94b
                                                                                                                                                                                      0x0068c950
                                                                                                                                                                                      0x0068c95c
                                                                                                                                                                                      0x0068c961
                                                                                                                                                                                      0x0068c968
                                                                                                                                                                                      0x0068c976
                                                                                                                                                                                      0x0068c97e
                                                                                                                                                                                      0x0068c985
                                                                                                                                                                                      0x0068c985
                                                                                                                                                                                      0x0068c992
                                                                                                                                                                                      0x0068c9a2
                                                                                                                                                                                      0x0068c9a8
                                                                                                                                                                                      0x0068c9a8
                                                                                                                                                                                      0x0068c9b5

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualProtect.KERNEL32(00000000,00000004,00000004,?,?,?,0068C90A), ref: 0068C976
                                                                                                                                                                                      • VirtualProtect.KERNEL32(00000000,00000004,?,0068C90A,?,0068C90A), ref: 0068C9A2
                                                                                                                                                                                        • Part of subcall function 0068E6E1: RaiseException.KERNEL32(00000000,00000000,00000000,00000000,EF00000D,?,0068E777,024B0488,?,0068E703,024B0488,024B0488,?,00688580,00000068), ref: 0068E6F1
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: ProtectVirtual$ExceptionRaise
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2285923662-0
                                                                                                                                                                                      • Opcode ID: bea95e8d0a27382d17352ba792ef777e7934b1469990a840f3c9ab85a3bcb04a
                                                                                                                                                                                      • Instruction ID: 7ad27c4e04248ce158150094e332f1df2be133a542c546e6c9aa77d7d9518c33
                                                                                                                                                                                      • Opcode Fuzzy Hash: bea95e8d0a27382d17352ba792ef777e7934b1469990a840f3c9ab85a3bcb04a
                                                                                                                                                                                      • Instruction Fuzzy Hash: 0E010074A00208EFDF04EFA4DC45BAD77BAFB84714F108688F9099B390DB715A51CB95
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00407FA8, Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GlobalAlloc.KERNEL32(C08B0002,05E70000,004185DE,?,-0000000E,00419AA2,00000000,00419B53,?,00000000,00000000,00419B7D,?,00000000,00000004,00000000), ref: 00407FAA
                                                                                                                                                                                      • GlobalFix.KERNEL32(00000000), ref: 00407FB0
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Global$Alloc
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2558781224-0
                                                                                                                                                                                      • Opcode ID: 20d48b862582ff9fa3717c59226fc903c8685604ff1cfd308f2dd2775e5a4f90
                                                                                                                                                                                      • Instruction ID: a39a6022b1cc374292960b0e17bc1fecf98ba161e91244267312326eb72c791a
                                                                                                                                                                                      • Opcode Fuzzy Hash: 20d48b862582ff9fa3717c59226fc903c8685604ff1cfd308f2dd2775e5a4f90
                                                                                                                                                                                      • Instruction Fuzzy Hash: 709002E4C0920125DC4473B20C0AD2B081C58C070C7C0886E7040B20A3883CF440403E
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00401674, Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,0040197D), ref: 004016A3
                                                                                                                                                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,0040197D), ref: 004016CA
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Virtual$AllocFree
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2087232378-0
                                                                                                                                                                                      • Opcode ID: 7df549ffc28c32cb2bd68b6daee27827f0b0854fe30f80007c2715c349264863
                                                                                                                                                                                      • Instruction ID: 4cb07ffbe4a022823a0cd7d68d0b0d47ec14a5362f4d7301b3da54b1d36325a0
                                                                                                                                                                                      • Opcode Fuzzy Hash: 7df549ffc28c32cb2bd68b6daee27827f0b0854fe30f80007c2715c349264863
                                                                                                                                                                                      • Instruction Fuzzy Hash: 7FF0A7B3F0072017DB205A6A4C85B5369C59F857A4F194577FD08FF3E9D6BA8C0142AA
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004204C4, Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • IsBadHugeReadPtr.KERNEL32(00000000,00000000), ref: 0042057B
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: HugeRead
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2080902951-0
                                                                                                                                                                                      • Opcode ID: 2cb844271f2d830aa0ed6b5c5b8a96cc7aa137eabc1be76e7944084dee4482a4
                                                                                                                                                                                      • Instruction ID: 3de7cae0edc3296a3b6615fa1b3824bb8634309011725cbd8b4182b10f1b6b9e
                                                                                                                                                                                      • Opcode Fuzzy Hash: 2cb844271f2d830aa0ed6b5c5b8a96cc7aa137eabc1be76e7944084dee4482a4
                                                                                                                                                                                      • Instruction Fuzzy Hash: 1CD1F4713042589FE719DF29E84579A3BE5EB89314FA2417BF801976E2C77C9CC1CA18
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0041EEFC, Relevance: 1.7, APIs: 1, Instructions: 189COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 0041F056
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: QueryVirtual
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1804819252-0
                                                                                                                                                                                      • Opcode ID: e8031176c9c19f0f2ef0ef00ee5f12e7da453bd5b4e057b7680f3b39d0daa6d3
                                                                                                                                                                                      • Instruction ID: 735d9e6a4d719bf9bea4e9c26f47b592e4bb65f376ce5a7d85718859a76511a2
                                                                                                                                                                                      • Opcode Fuzzy Hash: e8031176c9c19f0f2ef0ef00ee5f12e7da453bd5b4e057b7680f3b39d0daa6d3
                                                                                                                                                                                      • Instruction Fuzzy Hash: C461C174A00149AFCB10CA99C880EEEFBB5FF48314F244266E9549B382D735EDC6CB94
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0041CB28, Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000004,00000000,0041CF63,?,?,0000001C,00000000,0041D283), ref: 0041CB79
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FileModuleName
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 514040917-0
                                                                                                                                                                                      • Opcode ID: dc8b7ec55a5303f9a42151de484fd838b0f1c51d778216262f9857b0e16eefd2
                                                                                                                                                                                      • Instruction ID: 027f15c874b36ed5794fbe4f00a51eea8d4b3a2995432e0e033781a6f69b01c7
                                                                                                                                                                                      • Opcode Fuzzy Hash: dc8b7ec55a5303f9a42151de484fd838b0f1c51d778216262f9857b0e16eefd2
                                                                                                                                                                                      • Instruction Fuzzy Hash: FF513B70A482469FD300DF29D8C5B66B7E2FB94318F18823AD55887352E738EC91CBC9
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068C7A0, Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 83%
                                                                                                                                                                                      			E0068C7A0(char _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				signed int _v36;
				void* _v40;
				CHAR* _v44;
				intOrPtr _v48;
				intOrPtr _t70;
				CHAR* _t74;
				struct HINSTANCE__* _t80;
				intOrPtr _t85;
				intOrPtr _t88;
				intOrPtr _t116;
				intOrPtr _t123;
				void* _t129;

				_v20 = _a4;
				_v16 = _a8;
				_v24 = _a8;
				while(_v24 != 0) {
					_t85 =  *_v24;
					if(_t85 != _a4) {
						_v24 =  *((intOrPtr*)(_v24 + 4));
						continue;
					}
					return _t85;
				}
				_t88 =  *0x695af8; // 0x0
				 *0x695af8 = _t88 + 1;
				_v28 = _a4;
				_t70 = _v28;
				_v32 = _v28 +  *((intOrPtr*)(_t70 + 0x3c));
				if( *_v32 != 0x4550) {
					_t70 = E0068E6E1(_t70, 0xef00000c);
				}
				if( *0x695a14 != 1 || _a4 <= 0x80000000) {
					_v12 = _v28 +  *((intOrPtr*)(_v32 + 0x80));
					_v8 =  *(_v32 + 0x84) / 0x14;
					_v36 = 0;
					while(1) {
						_t74 = _v36;
						if(_t74 >= _v8) {
							break;
						}
						_t74 = _v28 +  *((intOrPtr*)(_v12 + 0xc + _v36 * 0x14));
						_v44 = _t74;
						if( *((intOrPtr*)(_v12 + 0xc + _v36 * 0x14)) == 0) {
							L16:
							break;
						}
						_t74 = _v28;
						if(0 != 0) {
							_v40 = _v28 +  *((intOrPtr*)(_v12 + 0x10 + _v36 * 0x14));
							_t123 =  *0x695448; // 0x450518
							_v48 = _t123;
							 *0x695448 = _v44;
							_t80 = GetModuleHandleA(_v44); // executed
							E0068C7A0(_t80,  &_v20); // executed
							_t129 = _t129 + 8;
							 *0x695448 = _v48;
							while( *_v40 != 0) {
								_push(_v44);
								E0068C930(_v40); // executed
								_t129 = _t129 + 8;
								_v40 = _v40 + 4;
							}
							_v36 = _v36 + 1;
							continue;
						}
						goto L16;
					}
					_t116 =  *0x695af8; // 0x0
					 *0x695af8 = _t116 - 1;
					return _t74;
				} else {
					return _t70;
				}
			}






















                                                                                                                                                                                      0x0068c7a9
                                                                                                                                                                                      0x0068c7af
                                                                                                                                                                                      0x0068c7b5
                                                                                                                                                                                      0x0068c7c3
                                                                                                                                                                                      0x0068c7cc
                                                                                                                                                                                      0x0068c7d1
                                                                                                                                                                                      0x0068c7c0
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068c7c0
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068c7d1
                                                                                                                                                                                      0x0068c7da
                                                                                                                                                                                      0x0068c7e3
                                                                                                                                                                                      0x0068c7ec
                                                                                                                                                                                      0x0068c7ef
                                                                                                                                                                                      0x0068c7f8
                                                                                                                                                                                      0x0068c804
                                                                                                                                                                                      0x0068c80b
                                                                                                                                                                                      0x0068c80b
                                                                                                                                                                                      0x0068c817
                                                                                                                                                                                      0x0068c833
                                                                                                                                                                                      0x0068c848
                                                                                                                                                                                      0x0068c84b
                                                                                                                                                                                      0x0068c85d
                                                                                                                                                                                      0x0068c85d
                                                                                                                                                                                      0x0068c863
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068c875
                                                                                                                                                                                      0x0068c879
                                                                                                                                                                                      0x0068c88a
                                                                                                                                                                                      0x0068c8a5
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068c8a5
                                                                                                                                                                                      0x0068c899
                                                                                                                                                                                      0x0068c8a3
                                                                                                                                                                                      0x0068c8b7
                                                                                                                                                                                      0x0068c8ba
                                                                                                                                                                                      0x0068c8c0
                                                                                                                                                                                      0x0068c8c6
                                                                                                                                                                                      0x0068c8d3
                                                                                                                                                                                      0x0068c8da
                                                                                                                                                                                      0x0068c8df
                                                                                                                                                                                      0x0068c8e5
                                                                                                                                                                                      0x0068c8f5
                                                                                                                                                                                      0x0068c900
                                                                                                                                                                                      0x0068c905
                                                                                                                                                                                      0x0068c90a
                                                                                                                                                                                      0x0068c8f2
                                                                                                                                                                                      0x0068c8f2
                                                                                                                                                                                      0x0068c85a
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068c85a
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068c8a3
                                                                                                                                                                                      0x0068c914
                                                                                                                                                                                      0x0068c91d
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?,?), ref: 0068C8D3
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                                      • Opcode ID: 3c3919b1abb053e2554a618bfd56dd739ed359a8a699a44c3c8fa9764ebc7d1a
                                                                                                                                                                                      • Instruction ID: b7aceb4d0d8a3590b7a32dc19f6ab29a5a8eb58b24ead72d6699c9f786b12b86
                                                                                                                                                                                      • Opcode Fuzzy Hash: 3c3919b1abb053e2554a618bfd56dd739ed359a8a699a44c3c8fa9764ebc7d1a
                                                                                                                                                                                      • Instruction Fuzzy Hash: 6951E974E00109CFCF08DF98D5909EDBBB6FB48324F24825AD916AB751C734A981CFA5
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004373BC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualQuery.KERNEL32(?,00000000,0000001C,00000000,004374CF,?,?,00000000), ref: 004373E9
                                                                                                                                                                                        • Part of subcall function 0042E204: FindResourceA.KERNEL32(00400000,TMADEXCEPT,0000000A), ref: 0042E20C
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FindQueryResourceVirtual
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2266176927-0
                                                                                                                                                                                      • Opcode ID: 9d30e83fa00c56a554f8be335964d3f53130ecc896b4dc64232b86b1d3b13883
                                                                                                                                                                                      • Instruction ID: 2f521166a41a1a2d10b63b356176c5a88747e73dc1008bd5563774faf3d89338
                                                                                                                                                                                      • Opcode Fuzzy Hash: 9d30e83fa00c56a554f8be335964d3f53130ecc896b4dc64232b86b1d3b13883
                                                                                                                                                                                      • Instruction Fuzzy Hash: 9B31F270704205CBDB21DF28C881B9E77A5AF19308F54A17AF4809B396DB3DBD05CB89
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004371E4, Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0042E204: FindResourceA.KERNEL32(00400000,TMADEXCEPT,0000000A), ref: 0042E20C
                                                                                                                                                                                      • VirtualQuery.KERNEL32(00000000,?,0000001C,00000000,004372E9,?,00607910,?,00445EC5), ref: 004372C5
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FindQueryResourceVirtual
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2266176927-0
                                                                                                                                                                                      • Opcode ID: b30d0302ed8942a45a92faa135f029d676c015b4466edd2ac9167504a3cd6376
                                                                                                                                                                                      • Instruction ID: 88ad2e6c7e05a9b8b56d869ecdd8a15ecb5e5a1e98ee9df1feff5b9066c27662
                                                                                                                                                                                      • Opcode Fuzzy Hash: b30d0302ed8942a45a92faa135f029d676c015b4466edd2ac9167504a3cd6376
                                                                                                                                                                                      • Instruction Fuzzy Hash: 6131C170A041058BDB31DF69CC81AAF73B6AF89314F5060B6F840A7396DB39AD05CB59
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0041C300, Relevance: 1.6, APIs: 1, Instructions: 83timeCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • FileTimeToDosDateTime.KERNEL32(00607910,?,?), ref: 0041C386
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Time$DateFile
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1286729926-0
                                                                                                                                                                                      • Opcode ID: 20b0a3ecaf4c1befb282801f26dacade9459f747f8cd95f7672d3b6f6679cd7d
                                                                                                                                                                                      • Instruction ID: 67440f7bb8d01e23cafdcd63fd41e68c82f2788d7d4f1b5c727226b919b7fb2d
                                                                                                                                                                                      • Opcode Fuzzy Hash: 20b0a3ecaf4c1befb282801f26dacade9459f747f8cd95f7672d3b6f6679cd7d
                                                                                                                                                                                      • Instruction Fuzzy Hash: 0C316B74E54108AFC754EF58DCC199A73F9EB08314B6184BAA800E7362E738FE40CB58
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00445418, Relevance: 1.6, APIs: 1, Instructions: 80synchronizationCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • WaitForSingleObject.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,?,00445890,00000000,?,?,?,00000000,004459C7), ref: 004454AA
                                                                                                                                                                                        • Part of subcall function 00445F20: EnterCriticalSection.KERNEL32(02B32564,005FA000,?,?,00431AE5,?,00607910,?,00000000), ref: 00445F3C
                                                                                                                                                                                        • Part of subcall function 00445F20: LeaveCriticalSection.KERNEL32(02B32564,00445FC9,02B32564,005FA000,?,?,00431AE5,?,00607910,?,00000000), ref: 00445FBC
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CriticalSection$EnterLeaveObjectSingleWait
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 501323975-0
                                                                                                                                                                                      • Opcode ID: f2b8a6b90142bb571b1aa03e7639d4fa23519618bad16eb5c7f517faeba84e66
                                                                                                                                                                                      • Instruction ID: b2a602de64e80c091acb74a6d4dbc3d8fa37ed7f8b959d7990b495c0270c0851
                                                                                                                                                                                      • Opcode Fuzzy Hash: f2b8a6b90142bb571b1aa03e7639d4fa23519618bad16eb5c7f517faeba84e66
                                                                                                                                                                                      • Instruction Fuzzy Hash: 22217C307006059FDB04EF54C844B99B3BAFF8A705F6181A6E800AF3A2CB38AD45CB95
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00420E98, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • IsBadHugeReadPtr.KERNEL32(00000000,00000000), ref: 00420EFC
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: HugeRead
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2080902951-0
                                                                                                                                                                                      • Opcode ID: 6ac7c5aa3379528d0c2b20339689a646ccb7e9ef6a713cda4c88a4b638cd415d
                                                                                                                                                                                      • Instruction ID: 7b53ca08c1e32ce230c4d5a9404beb1b5bfb13d85ac14f2eb3631a35b7766155
                                                                                                                                                                                      • Opcode Fuzzy Hash: 6ac7c5aa3379528d0c2b20339689a646ccb7e9ef6a713cda4c88a4b638cd415d
                                                                                                                                                                                      • Instruction Fuzzy Hash: B3217171F54218AFCB10DFAAE84169EBBF8EB09314F5288BBE414D3642D7789940CB58
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0044CFA0, Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0044D03E
                                                                                                                                                                                        • Part of subcall function 0042BBB8: WaitForSingleObject.KERNEL32(?,000000FF,00000000,0042BE4A,?,?,?), ref: 0042BBFF
                                                                                                                                                                                        • Part of subcall function 0042BBB8: LocalSize.KERNEL32(00000000), ref: 0042BC6C
                                                                                                                                                                                        • Part of subcall function 0042BBB8: LocalSize.KERNEL32(00000000), ref: 0042BCA2
                                                                                                                                                                                        • Part of subcall function 0042BBB8: LocalFree.KERNEL32(?,00000000,00000000,0042BE25,?,?,000000FF,00000000,0042BE4A,?,?,?), ref: 0042BCB6
                                                                                                                                                                                        • Part of subcall function 0042BBB8: LocalSize.KERNEL32(00000000), ref: 0042BCBC
                                                                                                                                                                                        • Part of subcall function 0042BBB8: LocalFree.KERNEL32(?,00000000,?,00000000,00000000,0042BE25,?,?,000000FF,00000000,0042BE4A,?,?,?), ref: 0042BCCA
                                                                                                                                                                                        • Part of subcall function 0042BBB8: LocalFree.KERNEL32(00000000,00000000,?,00000000,00000000,0042BE25,?,?,000000FF,00000000,0042BE4A,?,?,?), ref: 0042BCD0
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Local$FreeSize$CurrentObjectSingleThreadWait
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3213118908-0
                                                                                                                                                                                      • Opcode ID: 4ca8a9a144964e702908f56e29fb3fc98fa8dc1156c6d51b8b1352ee94d7a41c
                                                                                                                                                                                      • Instruction ID: cbf1bc5b34cb0243d9d79046f617093f6a1faf1b15a171d679140bf021ccc387
                                                                                                                                                                                      • Opcode Fuzzy Hash: 4ca8a9a144964e702908f56e29fb3fc98fa8dc1156c6d51b8b1352ee94d7a41c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 85F08175608740BFF315AF229C22F277B99EB8AB14F61847AF90053AC1D97C6801C468
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042E9FC, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0042E734: GetCurrentProcessId.KERNEL32(?,00000000,0042E7BA,?,00000000), ref: 0042E760
                                                                                                                                                                                        • Part of subcall function 0042E734: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,?,00000000,0042E7BA,?,00000000), ref: 0042E79A
                                                                                                                                                                                      • RtlDeleteCriticalSection.NTDLL(0072FFF8), ref: 0042EA33
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CriticalCurrentDeleteObjectProcessSectionSingleWait
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1534368221-0
                                                                                                                                                                                      • Opcode ID: ab5194679ef265d7647bead95d32c612b9fc3c1d0b422f7ed56b5309b46bc6fe
                                                                                                                                                                                      • Instruction ID: 64cb0427822e871d5bdcdca9483ecf82317dc8f9f45c334444ed516f5ff7b64c
                                                                                                                                                                                      • Opcode Fuzzy Hash: ab5194679ef265d7647bead95d32c612b9fc3c1d0b422f7ed56b5309b46bc6fe
                                                                                                                                                                                      • Instruction Fuzzy Hash: AD016D70704200DFDB01DB66EE4A92977FDE715700B814466F408C7262D6BCBC05EB38
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0041C284, Relevance: 1.5, APIs: 1, Instructions: 38timeCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0041C2B6
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Time$DateFile
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1286729926-0
                                                                                                                                                                                      • Opcode ID: 6274aa61fe1b0f23cca5899205ee7338522f4746e5f95f31bcc3587a43613e26
                                                                                                                                                                                      • Instruction ID: bd86286fe9e04af97be60bd8acc03cb728eca4c33918cb04f5e62410206da85b
                                                                                                                                                                                      • Opcode Fuzzy Hash: 6274aa61fe1b0f23cca5899205ee7338522f4746e5f95f31bcc3587a43613e26
                                                                                                                                                                                      • Instruction Fuzzy Hash: 7B0186B5D581045BC300EF55DC81C8773EDEB48304F00857EB545D7261E639FD108BA5
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00408058, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00408081
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CreateWindow
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 716092398-0
                                                                                                                                                                                      • Opcode ID: 24074e4f0c9761b04140219df1f553371079a76eaeea2aa9c31184406c9647cf
                                                                                                                                                                                      • Instruction ID: f8a649bc847f52ddae0cba1230be84fca8026b6f63394b48e17840334b009293
                                                                                                                                                                                      • Opcode Fuzzy Hash: 24074e4f0c9761b04140219df1f553371079a76eaeea2aa9c31184406c9647cf
                                                                                                                                                                                      • Instruction Fuzzy Hash: B3E0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F804105BB1C972428275AD618B75
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00406250, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000000,00000000,004062B8,0042E34B,00000000,0042E627,?,00000000,00000000,00730020), ref: 0040626E
                                                                                                                                                                                        • Part of subcall function 0040648C: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000000,005FA08C,?,0040627C,00400000,?,00000105,00000000,00000000,004062B8,0042E34B,00000000,0042E627), ref: 004064A8
                                                                                                                                                                                        • Part of subcall function 0040648C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000000,005FA08C,?,0040627C,00400000,?,00000105,00000000), ref: 004064C6
                                                                                                                                                                                        • Part of subcall function 0040648C: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000000,005FA08C), ref: 004064E4
                                                                                                                                                                                        • Part of subcall function 0040648C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406502
                                                                                                                                                                                        • Part of subcall function 0040648C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00406591,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040654B
                                                                                                                                                                                        • Part of subcall function 0040648C: RegQueryValueExA.ADVAPI32(?,004066F8,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00406591,?,80000001), ref: 00406569
                                                                                                                                                                                        • Part of subcall function 0040648C: RegCloseKey.ADVAPI32(?,00406598,00000000,00000000,00000005,00000000,00406591,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0040658B
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2796650324-0
                                                                                                                                                                                      • Opcode ID: da3582352b6af271b6eee0be6725914b0bccc304a040216e35335ea9567890d9
                                                                                                                                                                                      • Instruction ID: b1d2447a3fddf84b00ea15e1c5a26f4deb5cc316ff885bad8aa69577cc48bd35
                                                                                                                                                                                      • Opcode Fuzzy Hash: da3582352b6af271b6eee0be6725914b0bccc304a040216e35335ea9567890d9
                                                                                                                                                                                      • Instruction Fuzzy Hash: D4E06D71A012108FCB50DE5888C1A8733D8AB08754F0109AAEC59DF386D375DD2087E8
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068FA2C, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0068CF7A: GetModuleHandleA.KERNEL32(?), ref: 0068CFE5
                                                                                                                                                                                        • Part of subcall function 0068CF7A: LoadLibraryA.KERNEL32(?), ref: 0068CFF5
                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,00000000,?), ref: 0068FA68
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Library$FreeHandleLoadModule
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2140536961-0
                                                                                                                                                                                      • Opcode ID: 61978a77fb6c16f54ce5da5b876b6eb4c72e3230f02703bcf60ec6593a47eb28
                                                                                                                                                                                      • Instruction ID: a7477f17d345e13b7d079c7168717b3e372e8449bde5368364c6c59aa622283a
                                                                                                                                                                                      • Opcode Fuzzy Hash: 61978a77fb6c16f54ce5da5b876b6eb4c72e3230f02703bcf60ec6593a47eb28
                                                                                                                                                                                      • Instruction Fuzzy Hash: DCF0F83090020DFFCF04FFA0D906BADBAB6AF05364F108168E509A6260E7719F40EB54
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068F91E, Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 00689CE6: EnterCriticalSection.KERNEL32(00695AC8), ref: 00689D10
                                                                                                                                                                                      • SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?), ref: 0068F944
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CriticalEnterFilePointerSection
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3291797498-0
                                                                                                                                                                                      • Opcode ID: 06bf70590fd7e71c50c3bc4a347811ceda893e74725d548f14536352b34dc9d4
                                                                                                                                                                                      • Instruction ID: 341836ca7552b9fe4a095fea0f685f6bc9e73a4a742d0499445012303a00b109
                                                                                                                                                                                      • Opcode Fuzzy Hash: 06bf70590fd7e71c50c3bc4a347811ceda893e74725d548f14536352b34dc9d4
                                                                                                                                                                                      • Instruction Fuzzy Hash: 29F0923210020EFFCF029F91DD01ADE7BBABF18355F004525F91696160D372DA21EB60
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068F8DF, Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0068A7E1: EnterCriticalSection.KERNEL32(00695AC8,?,?,?,?,006899FD,?,00000000,00000000,00000000,00000000,?), ref: 0068A80B
                                                                                                                                                                                      • ReadFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0068F90E
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CriticalEnterFileReadSection
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3182250808-0
                                                                                                                                                                                      • Opcode ID: a37e7f9c280ce226c5589c22298301930d66dfd24c24638e3bbfc626ca9fdc2b
                                                                                                                                                                                      • Instruction ID: 3c1dccb4eec7e5cec519ff58bd6980f28b8f10dcaee4cdaef9f6941a88ef3990
                                                                                                                                                                                      • Opcode Fuzzy Hash: a37e7f9c280ce226c5589c22298301930d66dfd24c24638e3bbfc626ca9fdc2b
                                                                                                                                                                                      • Instruction Fuzzy Hash: 72F0253650020EFBCF029F90DD019DE7FBABB18384B108029FA15A5221D332DA71ABA1
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068FB9A, Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0068988D: EnterCriticalSection.KERNEL32(00695AC8), ref: 006898B7
                                                                                                                                                                                      • MapViewOfFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0068FBC9
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CriticalEnterFileSectionView
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 4022974305-0
                                                                                                                                                                                      • Opcode ID: 055772369029a75870db6f0429f2f00b118fe70ac815af5f3d788530f18b98b8
                                                                                                                                                                                      • Instruction ID: df785a907e93bdf8e1fbb19291198601a74deed25f0f59e33a04bf36e7198dba
                                                                                                                                                                                      • Opcode Fuzzy Hash: 055772369029a75870db6f0429f2f00b118fe70ac815af5f3d788530f18b98b8
                                                                                                                                                                                      • Instruction Fuzzy Hash: B1F02B7650014EFBCF029F90DD01CDE7F7AAB18394B048415BA15A5520D332DA71ABA1
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068F7A3, Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 00689BD7: EnterCriticalSection.KERNEL32(00695AC8), ref: 00689C01
                                                                                                                                                                                        • Part of subcall function 00689BD7: CreateFileA.KERNEL32(024B0AF8,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00689C3D
                                                                                                                                                                                        • Part of subcall function 00689BD7: SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00689C5F
                                                                                                                                                                                      • CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0068F7D2
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: File$Create$CriticalEnterPointerSection
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2903890177-0
                                                                                                                                                                                      • Opcode ID: 48d5ec6ed5edb3ab465c84fecde6b47b2f91117c63a5d1a8fd72fd5ecfdf144b
                                                                                                                                                                                      • Instruction ID: 7a74ed9141c9a7bd110ca578d55ef78044559c47292dbe464b35004abfe1e933
                                                                                                                                                                                      • Opcode Fuzzy Hash: 48d5ec6ed5edb3ab465c84fecde6b47b2f91117c63a5d1a8fd72fd5ecfdf144b
                                                                                                                                                                                      • Instruction Fuzzy Hash: 9AF02B7650010EFFCF029F94DD41CDE7F7AAF18344B008115BE1595520D732DA61ABA0
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068E6F9, Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 77%
                                                                                                                                                                                      			E0068E6F9(void* __ecx, long _a4) {
				void* _v8;
				void* _v12;
				void* _t8;
				void* _t9;

				_push(__ecx);
				_push(__ecx); // executed
				_t8 = E0068E736(__ecx); // executed
				_v12 = _t8;
				if(_a4 != 0) {
					_t9 = RtlAllocateHeap(_v12, 8, _a4); // executed
					_v8 = _t9;
					if(_v8 == 0) {
						E0068E6E1(_t9, 0xef000009);
					}
					return _v8;
				}
				return 0;
			}







                                                                                                                                                                                      0x0068e6fc
                                                                                                                                                                                      0x0068e6fd
                                                                                                                                                                                      0x0068e6fe
                                                                                                                                                                                      0x0068e703
                                                                                                                                                                                      0x0068e70a
                                                                                                                                                                                      0x0068e718
                                                                                                                                                                                      0x0068e71e
                                                                                                                                                                                      0x0068e725
                                                                                                                                                                                      0x0068e72c
                                                                                                                                                                                      0x0068e72c
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068e731
                                                                                                                                                                                      0x00000000

                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0068E736: HeapCreate.KERNEL32(00000001,00010000,00000000,024B0488,?,0068E703,024B0488,024B0488,?,00688580,00000068), ref: 0068E74C
                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,00000008,00000000,024B0488,024B0488,?,00688580,00000068), ref: 0068E718
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Heap$AllocateCreate
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2875408731-0
                                                                                                                                                                                      • Opcode ID: a776423ea0cc2cbf8adb5233bd53461780e80f9df620bcbea159fbc200ab271b
                                                                                                                                                                                      • Instruction ID: 3fc964fce8dc33838d71249ad058ef9df1b0035eca90cce59a3c9193207afde2
                                                                                                                                                                                      • Opcode Fuzzy Hash: a776423ea0cc2cbf8adb5233bd53461780e80f9df620bcbea159fbc200ab271b
                                                                                                                                                                                      • Instruction Fuzzy Hash: CBE04F3490020CFFDF90FFB0C90979CBAB6AB14344F608959F406A6240E7B29B81DB10
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068E736, Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 100%
                                                                                                                                                                                      			E0068E736(void* __ecx) {
				void* _v8;
				void* _t9;

				if( *0x695b08 != 0) {
					_t6 =  *0x695b08; // 0x24b0000
					_v8 = _t6;
				} else {
					_t9 = HeapCreate(1, 0x10000, 0); // executed
					_v8 = _t9;
					_t6 = _v8;
					 *0x695b08 = _v8;
				}
				if(_v8 == 0) {
					E0068E6E1(_t6, 0xef00000d);
				}
				return _v8;
			}





                                                                                                                                                                                      0x0068e741
                                                                                                                                                                                      0x0068e75f
                                                                                                                                                                                      0x0068e764
                                                                                                                                                                                      0x0068e743
                                                                                                                                                                                      0x0068e74c
                                                                                                                                                                                      0x0068e752
                                                                                                                                                                                      0x0068e755
                                                                                                                                                                                      0x0068e758
                                                                                                                                                                                      0x0068e758
                                                                                                                                                                                      0x0068e76b
                                                                                                                                                                                      0x0068e772
                                                                                                                                                                                      0x0068e772
                                                                                                                                                                                      0x0068e77b

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • HeapCreate.KERNEL32(00000001,00010000,00000000,024B0488,?,0068E703,024B0488,024B0488,?,00688580,00000068), ref: 0068E74C
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CreateHeap
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 10892065-0
                                                                                                                                                                                      • Opcode ID: 306ac40aa62a56fdb7e2610bd52b501f600437afe2e5796cc1b110286d61f62d
                                                                                                                                                                                      • Instruction ID: 468488760adf29614de207bc3424647363610ac62bc734dd7459c8d879afb7f1
                                                                                                                                                                                      • Opcode Fuzzy Hash: 306ac40aa62a56fdb7e2610bd52b501f600437afe2e5796cc1b110286d61f62d
                                                                                                                                                                                      • Instruction Fuzzy Hash: 47E01A74A01308EFDB10EFA4DE45B9877BAA704748F20519AF506A7798D3B15F80DB14
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068F9C0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 00689ABF: EnterCriticalSection.KERNEL32(00695AC8), ref: 00689AE9
                                                                                                                                                                                      • CreateFileMappingA.KERNEL32 ref: 0068F9E6
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CreateCriticalEnterFileMappingSection
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 704181152-0
                                                                                                                                                                                      • Opcode ID: 3d0003f23a686a717af13698a718e849044c1cdef156c1e3f3d598af7ed318fd
                                                                                                                                                                                      • Instruction ID: e217971fd6b655911bf674b64fab1400329caef6777a19d7961ebbf844fa3ff0
                                                                                                                                                                                      • Opcode Fuzzy Hash: 3d0003f23a686a717af13698a718e849044c1cdef156c1e3f3d598af7ed318fd
                                                                                                                                                                                      • Instruction Fuzzy Hash: 76E07E3250010EFBCF02AF90DD018DE7FBAAB08344B008025FA1591120E332DA21AB90
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00406980, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • InterlockedDecrement.KERNEL32(?), ref: 0040698C
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: DecrementInterlocked
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3448037634-0
                                                                                                                                                                                      • Opcode ID: d7014855bf47c91553aeaf4b7a1610a6b26eed567596135cd20953664c376246
                                                                                                                                                                                      • Instruction ID: 0046cb5b9020794375a6d73e1610bcd6c5669f18f89209f502effbe02e7c89be
                                                                                                                                                                                      • Opcode Fuzzy Hash: d7014855bf47c91553aeaf4b7a1610a6b26eed567596135cd20953664c376246
                                                                                                                                                                                      • Instruction Fuzzy Hash: F4D05E72600229AB8B10AA99D8C4C96FB9CEB553AC3004076FA05DF312C936EC0487E4
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068FE50, Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 00689132: EnterCriticalSection.KERNEL32(00695AC8), ref: 0068915C
                                                                                                                                                                                      • FindNextFileA.KERNELBASE(?,?,?,?,?), ref: 0068FE6D
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CriticalEnterFileFindNextSection
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 4029508138-0
                                                                                                                                                                                      • Opcode ID: 2f490109b276da4f7f2bbd8138fd3a0249b5c667b6b0ba8a8eb73601b3dee986
                                                                                                                                                                                      • Instruction ID: 6ca91b685b09d66cf6d225038ae0fdc4cfb94c478b3ad2d785b7e046d4149fa7
                                                                                                                                                                                      • Opcode Fuzzy Hash: 2f490109b276da4f7f2bbd8138fd3a0249b5c667b6b0ba8a8eb73601b3dee986
                                                                                                                                                                                      • Instruction Fuzzy Hash: 69E0E23550010DFBCF41EFA0CD0889EBBBAEB04388F008025B90996221E331DB10AB50
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068F8B8, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 00689F93: EnterCriticalSection.KERNEL32(00695AC8), ref: 00689FBD
                                                                                                                                                                                      • FindCloseChangeNotification.KERNEL32(?,?,?), ref: 0068F8CF
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: ChangeCloseCriticalEnterFindNotificationSection
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1375277949-0
                                                                                                                                                                                      • Opcode ID: 8a90da9ec171d2e9a0791728711775cc7cf3349ca514432b4a9accd641b4a383
                                                                                                                                                                                      • Instruction ID: 353ebf47ae127dd463ab81ecc934339e52056743866a81e8fe041da7d76e5d43
                                                                                                                                                                                      • Opcode Fuzzy Hash: 8a90da9ec171d2e9a0791728711775cc7cf3349ca514432b4a9accd641b4a383
                                                                                                                                                                                      • Instruction Fuzzy Hash: B5D06CB1500209BBCB01EFA5D90199EBABAAB14388B104176A905E2620E7719B11ABA4
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042B504, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetComputerNameA.KERNEL32(00000000,B70F0B66), ref: 0042B51A
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3545744682-0
                                                                                                                                                                                      • Opcode ID: 4bcffc4582cbdaddebd56cb6d0573bdada6c99afd3b641f8f46c166cb4104413
                                                                                                                                                                                      • Instruction ID: 2d60a426fa513126a24d073db8b86c2ec8e19fa2fe59e45fd542b10d7ba368eb
                                                                                                                                                                                      • Opcode Fuzzy Hash: 4bcffc4582cbdaddebd56cb6d0573bdada6c99afd3b641f8f46c166cb4104413
                                                                                                                                                                                      • Instruction Fuzzy Hash: 91D0A7F160420017D300E694ECC19DA72CC87C4314F00093D7EC9962C1E6BC59889B53
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068FE29, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 006891E8: EnterCriticalSection.KERNEL32(00695AC8,?,?,?,000000FF,?,0068A062,?,00000000,?), ref: 00689212
                                                                                                                                                                                      • FindClose.KERNEL32(?,?,?), ref: 0068FE40
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CloseCriticalEnterFindSection
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 224337222-0
                                                                                                                                                                                      • Opcode ID: 404e10d1dada20ec1f117b476238e0f1ff77f1814b5422b019cf8117e5800d1b
                                                                                                                                                                                      • Instruction ID: 47693a42e8931838975e5ccc39640ffbff23e9693ff0a0f4b19f038f4edd3dc0
                                                                                                                                                                                      • Opcode Fuzzy Hash: 404e10d1dada20ec1f117b476238e0f1ff77f1814b5422b019cf8117e5800d1b
                                                                                                                                                                                      • Instruction Fuzzy Hash: 44D05E7050020DFBCB01EF60DD058DE7BBDAB10344B00406AF805E2220D331DF009B50
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00407228, Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • CreateMutexA.KERNEL32(?,00000001,00000000,?,0042E795,?,00000000,00000000,?,00000000), ref: 0040723E
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CreateMutex
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1964310414-0
                                                                                                                                                                                      • Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                                                                                                                                                      • Instruction ID: 7db005d0661c92c352898ea82dffb6356d4ca7eae0ae56092ac729956557049e
                                                                                                                                                                                      • Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                                                                                                                                                      • Instruction Fuzzy Hash: FCC01273560248ABCB00EEA9DC06D9B33DCAB28609B008829BA28CB100C139E9908B64
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068E77C, Relevance: 1.5, APIs: 1, Instructions: 14memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 79%
                                                                                                                                                                                      			E0068E77C(void* __eax, void* __ecx, void* _a4) {
				void* _v8;
				char _t7;

				_push(__ecx);
				if(_a4 != 0) {
					_v8 = E0068E736(__ecx);
					_t7 = RtlFreeHeap(_v8, 0, _a4); // executed
					return _t7;
				}
				return __eax;
			}





                                                                                                                                                                                      0x0068e77f
                                                                                                                                                                                      0x0068e784
                                                                                                                                                                                      0x0068e78d
                                                                                                                                                                                      0x0068e798
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068e798
                                                                                                                                                                                      0x00000000

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • RtlFreeHeap.NTDLL(?,00000000,00000000,?,?,0068ED1F,?,0068ED0F,?,?,?,?,?,?), ref: 0068E798
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3298025750-0
                                                                                                                                                                                      • Opcode ID: 28e55378a39e6cd5172f320d7a7bd89442bb89bbf15ad1a148e665c1581e27ac
                                                                                                                                                                                      • Instruction ID: 75138f1a13822dae73e5c36c86800d7920c497f3f8f62c4897dff821313a5537
                                                                                                                                                                                      • Opcode Fuzzy Hash: 28e55378a39e6cd5172f320d7a7bd89442bb89bbf15ad1a148e665c1581e27ac
                                                                                                                                                                                      • Instruction Fuzzy Hash: 7DD0C93450021CFFEF20BFA0DD06BADBEBAEB00744F604255F50559150D6769B91EB55
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042E7E8, Relevance: 1.5, APIs: 1, Instructions: 8synchronizationCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • ReleaseMutex.KERNEL32(00000000,00000000,0042E96F,0042E977,00000000,0042E992,?,00000000,00000000), ref: 0042E7EC
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: MutexRelease
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1638419-0
                                                                                                                                                                                      • Opcode ID: 13a5adc392918f24a359c63fb25c668a5cff269fc648731c971dc0b5bf337393
                                                                                                                                                                                      • Instruction ID: 5d610b9cdd7177eda4d6c45f0915df94142cb1c25ef5d827e032f3fa3f04ca8c
                                                                                                                                                                                      • Opcode Fuzzy Hash: 13a5adc392918f24a359c63fb25c668a5cff269fc648731c971dc0b5bf337393
                                                                                                                                                                                      • Instruction Fuzzy Hash: EFA002E5B4930837D60072B71CC2D6B558C5948259390387B750ABA7C3AD7DBA50103E
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00401750, Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 004017B4
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FreeVirtual
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1263568516-0
                                                                                                                                                                                      • Opcode ID: 7ee5c974cb4bef6106f953fb03a21c4beb40b16e32bcb23ef0dfdf6637047f38
                                                                                                                                                                                      • Instruction ID: 210e13b86e5d394c0b0b95031727a0a1153672bfc5cb54779316c6ddd1ab46b4
                                                                                                                                                                                      • Opcode Fuzzy Hash: 7ee5c974cb4bef6106f953fb03a21c4beb40b16e32bcb23ef0dfdf6637047f38
                                                                                                                                                                                      • Instruction Fuzzy Hash: 9F21F274608701AFC714DF19C880A1BBBE1EF84760F14C96AF4989B3A4D338EC40CB9A
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00401808, Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualAlloc.KERNEL32(02AC0000,?,00001000,00000004), ref: 00401875
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                                      • Opcode ID: 8b1d6562b131238e010f828cf975e6794dcf59884616fd9a3526576983f92fc9
                                                                                                                                                                                      • Instruction ID: 920e29322a0024707e70f0e54f444a0b541683d0f2aacef1ad4de7407b3d3b47
                                                                                                                                                                                      • Opcode Fuzzy Hash: 8b1d6562b131238e010f828cf975e6794dcf59884616fd9a3526576983f92fc9
                                                                                                                                                                                      • Instruction Fuzzy Hash: 82118272A047019FC314AF29CC80A1BB7E5EFC4760F15C53DE598673A4E734AD408B85
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0040189C, Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualFree.KERNEL32(02AC0000,00100000,00004000,?,?,?,00001150,00005153,00401B03), ref: 004018F6
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FreeVirtual
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1263568516-0
                                                                                                                                                                                      • Opcode ID: 7719c0eb744839d2bc25ce2335368f42900b32b1b28af7d6545a3241162aee8c
                                                                                                                                                                                      • Instruction ID: dd3e0c28f9c8dcdd11c57875e0ddbc556def2d70e86140b9399b2091ac16548c
                                                                                                                                                                                      • Opcode Fuzzy Hash: 7719c0eb744839d2bc25ce2335368f42900b32b1b28af7d6545a3241162aee8c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 6901F7B7A442044FC311AF69DCC0A2B77E9EB84324F16453EEA85A73A1D23A6C01C7A4
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                      Function 0043F454, Relevance: 114.8, APIs: 63, Strings: 2, Instructions: 1021nativeCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • LoadCursorA.USER32(00000000,00007F89), ref: 0043F5FD
                                                                                                                                                                                      • SetCursor.USER32(00000000,00000000,00007F89,00000000,00440020), ref: 0043F603
                                                                                                                                                                                      • BeginPaint.USER32(?,?,00000000,00440020), ref: 0043F633
                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 0043F640
                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 0043F654
                                                                                                                                                                                      • GetSysColor.USER32(00000015), ref: 0043F65C
                                                                                                                                                                                      • SelectObject.GDI32(?,?), ref: 0043F683
                                                                                                                                                                                      • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 0043F6B6
                                                                                                                                                                                      • SetTextColor.GDI32(?,00900080), ref: 0043F6FC
                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 0043F719
                                                                                                                                                                                      • SetBkColor.GDI32(?,00000000), ref: 0043F726
                                                                                                                                                                                      • TextOutA.GDI32(?,?,?,00000000,00000000), ref: 0043F750
                                                                                                                                                                                      • SelectObject.GDI32(?,00000000), ref: 0043F75D
                                                                                                                                                                                      • EndPaint.USER32(?,?,?,00000000,?,?,?,00000000,00000000,?,00000000,0000000F,?,00000000,00000015,?), ref: 0043F76D
                                                                                                                                                                                      • NtdllDefWindowProc_A.NTDLL(?,?,?,?,00000000,00440020), ref: 0043F877
                                                                                                                                                                                      • NtdllDefWindowProc_A.NTDLL(?,?,?,?,00000000,00440020), ref: 00440003
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Color$Text$CursorNtdllObjectPaintProc_SelectWindow$BeginClientExtentLoadPoint32Rect
                                                                                                                                                                                      • String ID: ,$http://madExcept.com
                                                                                                                                                                                      • API String ID: 1294446545-4113818653
                                                                                                                                                                                      • Opcode ID: f85f0e6e5bc3cd165576ec8fa53478c6593d80d2833802085e3c1d224ab3aef7
                                                                                                                                                                                      • Instruction ID: a87b7536818bc1a1f09d5d39b413d82975b112bd25cc63d2f5f512a0aef8cb30
                                                                                                                                                                                      • Opcode Fuzzy Hash: f85f0e6e5bc3cd165576ec8fa53478c6593d80d2833802085e3c1d224ab3aef7
                                                                                                                                                                                      • Instruction Fuzzy Hash: 42826471A04204AFDB10EF69D985F9E77E8AF09314F104166F908EF392C778ED858B99
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00427A5C, Relevance: 83.1, APIs: 44, Strings: 3, Instructions: 826nativeCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetCursorPos.USER32(?), ref: 00427B09
                                                                                                                                                                                      • ScreenToClient.USER32(?,?), ref: 00427B19
                                                                                                                                                                                      • IsWindowEnabled.USER32(?), ref: 00427B38
                                                                                                                                                                                      • LoadCursorA.USER32(00000000,00007F89), ref: 00427B48
                                                                                                                                                                                      • SetCursor.USER32(00000000), ref: 00427B56
                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 00427C44
                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 00427CA7
                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 00427D08
                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 00427D10
                                                                                                                                                                                      • GetSysColor.USER32(00000015), ref: 00427D48
                                                                                                                                                                                      • NtdllDefWindowProc_A.NTDLL(?,?,?,?,00000000,00428404,?,?,?,?,00000013,00000000,00000000), ref: 00428381
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Color$Cursor$Window$ClientEnabledLoadNtdllProc_Screen
                                                                                                                                                                                      • String ID: Arial$L:B$?B
                                                                                                                                                                                      • API String ID: 536557531-136738505
                                                                                                                                                                                      • Opcode ID: 4a940d65220726c27b1fbaf52ffd4aa6e42917025f05bce18b202c5f925d494e
                                                                                                                                                                                      • Instruction ID: ed5ec112c277b9ccae6a3beaa5f67e2a706bf2312eae5a444cff5a0ea541201c
                                                                                                                                                                                      • Opcode Fuzzy Hash: 4a940d65220726c27b1fbaf52ffd4aa6e42917025f05bce18b202c5f925d494e
                                                                                                                                                                                      • Instruction Fuzzy Hash: FE627F71B04218AFDB10DF69D885F9E77B5EF48314F50816AF904EB291CB38EE818B95
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00429058, Relevance: 53.2, APIs: 25, Strings: 5, Instructions: 693windowkeyboardtimeCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • IsWindowEnabled.USER32(00000000), ref: 0042909A
                                                                                                                                                                                      • EnableWindow.USER32(00000000,00000000), ref: 004290B8
                                                                                                                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 004290C6
                                                                                                                                                                                      • SelectObject.GDI32(?,?), ref: 00429282
                                                                                                                                                                                      • DeleteDC.GDI32(?), ref: 0042928B
                                                                                                                                                                                        • Part of subcall function 00428F60: SendMessageA.USER32(?,00000030,?,00000000), ref: 00428FFF
                                                                                                                                                                                      • GetWindowRect.USER32(?,00000000), ref: 00429570
                                                                                                                                                                                      • GetClientRect.USER32(?,00000000), ref: 0042958B
                                                                                                                                                                                      • GetSystemMetrics.USER32(00000001), ref: 004295AA
                                                                                                                                                                                      • GetSystemMetrics.USER32(00000000), ref: 004295C0
                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,0000013B,00000000,?,00000001,0000013B,?,00000004,?,00000000,?,00000000), ref: 004295DC
                                                                                                                                                                                        • Part of subcall function 0042860C: IsWindowEnabled.USER32(00000000), ref: 0042867D
                                                                                                                                                                                      • ShowWindow.USER32(?,00000001,00000000,?,00000000,0000013B,00000000,?,00000001,0000013B,?,00000004,?,00000000,?,00000000), ref: 0042960C
                                                                                                                                                                                      • IsIconic.USER32(?), ref: 00429617
                                                                                                                                                                                      • ShowWindow.USER32(?,00000009,?,?,00000001,00000000,?,00000000,0000013B,00000000,?,00000001,0000013B,?,00000004,?), ref: 00429628
                                                                                                                                                                                      • BringWindowToTop.USER32(?), ref: 00429633
                                                                                                                                                                                      • SetForegroundWindow.USER32(?), ref: 0042963E
                                                                                                                                                                                      • SetTimer.USER32(?,00000309,?,00000000), ref: 0042965E
                                                                                                                                                                                      • GetKeyState.USER32(00000010), ref: 004296DA
                                                                                                                                                                                      • IsDialogMessage.USER32(?,?), ref: 004297C9
                                                                                                                                                                                      • TranslateMessage.USER32(?), ref: 004297D6
                                                                                                                                                                                      • DispatchMessageA.USER32(?), ref: 004297DF
                                                                                                                                                                                      • IsWindow.USER32(?), ref: 004297EA
                                                                                                                                                                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004297FD
                                                                                                                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,00000001,00000000,?,00000000,0000013B,00000000,?,00000001,0000013B,?), ref: 00429817
                                                                                                                                                                                      • EnableWindow.USER32(00000000,000000FF), ref: 00429833
                                                                                                                                                                                      • SetActiveWindow.USER32(00000000,00000000,000000FF,?,00000000,00008000,?,?,?,00000001,00000000,?,00000000,0000013B,00000000,?), ref: 0042983C
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Window$Message$EnableEnabledMetricsRectShowSystem$ActiveBringClientCompatibleCreateDeleteDialogDispatchForegroundFreeIconicObjectSelectSendStateTimerTranslateVirtual
                                                                                                                                                                                      • String ID: ($Arial$L:B$Tahoma$?B
                                                                                                                                                                                      • API String ID: 2795582209-1470574360
                                                                                                                                                                                      • Opcode ID: d95a6417b918fb2839ea428ff22b2f49d6abb3c80d6d704c24dd845c5d66fa7e
                                                                                                                                                                                      • Instruction ID: 3ea0fa7b4e3fc62ed6e0cd7e681cfc7640ceb21129acb049869ea0ffd0291387
                                                                                                                                                                                      • Opcode Fuzzy Hash: d95a6417b918fb2839ea428ff22b2f49d6abb3c80d6d704c24dd845c5d66fa7e
                                                                                                                                                                                      • Instruction Fuzzy Hash: 4D525C31B001298FDB10EB69D881F9E73B5FF49304F9081AAE508AB356DB78AD85CF55
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042CB18, Relevance: 13.6, APIs: 9, Instructions: 59clipboardmemoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • OpenClipboard.USER32(00000000), ref: 0042CB39
                                                                                                                                                                                      • EmptyClipboard.USER32 ref: 0042CB42
                                                                                                                                                                                      • CloseClipboard.USER32 ref: 0042CB47
                                                                                                                                                                                      • OpenClipboard.USER32(00000000), ref: 0042CB4E
                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00002002,00000001,00000000,00000000,0042CBBC), ref: 0042CB66
                                                                                                                                                                                      • GlobalFix.KERNEL32(00000000), ref: 0042CB6E
                                                                                                                                                                                      • GlobalUnWire.KERNEL32(00000000), ref: 0042CB94
                                                                                                                                                                                      • SetClipboardData.USER32(00000001,00000000), ref: 0042CB9C
                                                                                                                                                                                      • CloseClipboard.USER32 ref: 0042CBA1
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Clipboard$Global$CloseOpen$AllocDataEmptyWire
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1447158080-0
                                                                                                                                                                                      • Opcode ID: 2a720689f135e0fac6c03eef10a6589b3c5a8bfc5718ffefd4103a63884cb338
                                                                                                                                                                                      • Instruction ID: be8751a62866e7428d42035bfe15854d99f690cdde3815c6a1f0b6a475fdf373
                                                                                                                                                                                      • Opcode Fuzzy Hash: 2a720689f135e0fac6c03eef10a6589b3c5a8bfc5718ffefd4103a63884cb338
                                                                                                                                                                                      • Instruction Fuzzy Hash: D4016570B082147EE651B7B69D43E2E769CDF80748F51047BB900B22C2DA7CAE00567E
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042354C, Relevance: 13.6, APIs: 9, Instructions: 57windowthreadCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 0042355F
                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,?), ref: 00423564
                                                                                                                                                                                      • IsWindowVisible.USER32(?), ref: 0042356F
                                                                                                                                                                                      • IsIconic.USER32(?), ref: 00423579
                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00423587
                                                                                                                                                                                      • OffsetRect.USER32(?,?,?), ref: 0042359B
                                                                                                                                                                                      • CreateRectRgnIndirect.GDI32(?), ref: 004235A4
                                                                                                                                                                                      • CombineRgn.GDI32(?,?,00000000,00000002), ref: 004235B7
                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 004235BD
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: RectWindow$Process$CombineCreateCurrentDeleteIconicIndirectObjectOffsetThreadVisible
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 17709045-0
                                                                                                                                                                                      • Opcode ID: f5689fe6b1f61399365e0a5c460bbf039d1a7d9dd1433dd98fa83d4e3bf5c136
                                                                                                                                                                                      • Instruction ID: b609e4cb5a784eeb67131a36571aec1631db591cdcd4d93f87af38dbe4eb0279
                                                                                                                                                                                      • Opcode Fuzzy Hash: f5689fe6b1f61399365e0a5c460bbf039d1a7d9dd1433dd98fa83d4e3bf5c136
                                                                                                                                                                                      • Instruction Fuzzy Hash: CE014471A08209BADB10EAB59C81DBF73EC9F04759B50092BB955F3182D63CFE40867A
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00412120, Relevance: 13.3, Strings: 10, Instructions: 760COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: ; case jump table$ ; function entry point$ dd loc_$ else$ on $ do$ loc_$; ---------------------------------------------------------$[...]$loc_
                                                                                                                                                                                      • API String ID: 0-1122499465
                                                                                                                                                                                      • Opcode ID: bbddb7656bf446da9e163e05fb17d9a7a5f23b4869a689ff0583062485495d2a
                                                                                                                                                                                      • Instruction ID: 0afbd610ae460a683cbdb591ef5047859490a24c491cbb99adc4c41d9f7bca02
                                                                                                                                                                                      • Opcode Fuzzy Hash: bbddb7656bf446da9e163e05fb17d9a7a5f23b4869a689ff0583062485495d2a
                                                                                                                                                                                      • Instruction Fuzzy Hash: 3E624934A001089FDB14DF59C985BDEBBF2AF49314F2480A6E904EB391C778AED1CB58
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00439C00, Relevance: 9.2, APIs: 6, Instructions: 211networkCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00439C6D
                                                                                                                                                                                      • bind.WS2_32(00000000,B70F08FA,00000010), ref: 00439CA1
                                                                                                                                                                                      • htons.WS2_32(00000035), ref: 00439DDF
                                                                                                                                                                                      • sendto.WS2_32(00000000,B70F092E,?,00000000,B70F08FA,00000010), ref: 00439E11
                                                                                                                                                                                      • select.WS2_32(00000000,B70F07F6,00000000,00000000,B70F090A), ref: 00439EEE
                                                                                                                                                                                      • closesocket.WS2_32(00000000), ref: 00439F17
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: bindclosesockethtonsselectsendtosocket
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1985737304-0
                                                                                                                                                                                      • Opcode ID: 949e411e75a6d3c252a033b8ee6a0547588df79a61cb6d15ed11d1b4a806edf0
                                                                                                                                                                                      • Instruction ID: 583677dc133fbb023c93ebbce1a1a615947614f1377ced662c667ab6545df636
                                                                                                                                                                                      • Opcode Fuzzy Hash: 949e411e75a6d3c252a033b8ee6a0547588df79a61cb6d15ed11d1b4a806edf0
                                                                                                                                                                                      • Instruction Fuzzy Hash: C2915170A4022D8BDB20EB15CC85BD9B3B4EF58304F1051EAE918A7292D7789F85CF59
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004234B8, Relevance: 9.1, APIs: 6, Instructions: 61windowthreadCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 004234CB
                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,?), ref: 004234D0
                                                                                                                                                                                      • IsWindowVisible.USER32(?), ref: 004234DB
                                                                                                                                                                                      • IsIconic.USER32(?), ref: 004234E5
                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 004234F3
                                                                                                                                                                                      • OffsetRect.USER32(?,?,?), ref: 00423507
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Window$ProcessRect$CurrentIconicOffsetThreadVisible
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3306312098-0
                                                                                                                                                                                      • Opcode ID: 93d8bf5d2174936a93e6f87c61dce944ac7f217e9473e4b85a406fd627265c74
                                                                                                                                                                                      • Instruction ID: 563b47dbcccafdc312c53da9f17fb08761e1bd8707b9d84564be4b96ebb547c0
                                                                                                                                                                                      • Opcode Fuzzy Hash: 93d8bf5d2174936a93e6f87c61dce944ac7f217e9473e4b85a406fd627265c74
                                                                                                                                                                                      • Instruction Fuzzy Hash: B8112E70B04129AB8F00DE65D5C18AFB3B9AF443157604166FC04EB245E738EE418BFA
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068A2D1, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 293filetimeCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 42%
                                                                                                                                                                                      			E0068A2D1(void* __ecx, signed int* _a4, signed int _a8) {
				signed int _v8;
				char _v20;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				signed int _v64;
				struct _FILETIME _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				long _v92;
				long _v96;
				unsigned int _v100;
				signed int _v104;
				struct _FILETIME* _v108;
				signed int _v112;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t181;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr _t188;
				signed int _t200;
				struct _FILETIME* _t212;
				void* _t213;
				struct _FILETIME* _t214;
				struct _FILETIME* _t227;
				long _t243;
				int _t248;
				intOrPtr _t251;
				struct _FILETIME* _t261;
				struct _FILETIME* _t263;
				signed int _t266;
				struct _FILETIME* _t271;
				void* _t278;
				intOrPtr _t281;
				signed int _t282;
				intOrPtr _t285;
				signed int _t287;
				int _t290;
				void* _t316;
				void* _t323;
				void* _t324;
				intOrPtr _t326;

				_push(0xffffffff);
				_push(0x693458);
				_push(0x69052c);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t326;
				_push(__ecx);
				_push(__ecx);
				_push(_t278);
				_push(_t323);
				_push(_t316);
				_t281 =  *0x695af0; // 0x24b0b08
				_t2 = _t281 + 4; // 0x24b0e9c
				_v40 =  *_a4 -  *_t2 >> 4;
				_v44 = _v44 & 0x00000000;
				_v64 = _v64 & 0x00000000;
				while(_v64 < 3) {
					_t13 = 0x69540c + _v64 * 0x18; // 0x695ae400
					if( *_t13 !=  *_a4) {
						L6:
						_t271 = _v64 + 1;
						__eflags = _t271;
						_v64 = _t271;
						continue;
					} else {
						_t15 = 0x695408 + _v64 * 0x18; // 0x0
						if( *_t15 != _a8) {
							goto L6;
						} else {
							_t18 = 0x695410 + _v64 * 0x18; // 0x0
							_t213 =  *( *_t18);
						}
					}
					L38:
					 *[fs:0x0] = _v20;
					return _t213;
				}
				GetSystemTimeAsFileTime( &_v76);
				_v80 = _v80 & 0x00000000;
				while(1) {
					__eflags = _v80 - 3;
					if(_v80 >= 3) {
						break;
					}
					_v120 = _v80 * 0x18;
					__eflags = _v76.dwHighDateTime -  *((intOrPtr*)(_v120 + 0x695404));
					if(__eflags >= 0) {
						if(__eflags > 0) {
							L13:
							_t263 = _v80 * 0x18;
							__eflags = _t263;
							_t34 = _t263 + 0x695400; // 0x0
							_v76.dwLowDateTime =  *_t34;
							_t36 = _t263 + 0x695404; // 0x0
							_v76.dwHighDateTime =  *_t36;
							_v44 = _v80;
						} else {
							_t266 = _v120;
							__eflags = _v76.dwLowDateTime -  *((intOrPtr*)(_t266 + 0x695400));
							if(_v76.dwLowDateTime >  *((intOrPtr*)(_t266 + 0x695400))) {
								goto L13;
							}
						}
					}
					_t261 = _v80 + 1;
					__eflags = _t261;
					_v80 = _t261;
				}
				 *(0x695408 + _v44 * 0x18) =  *(0x695408 + _v44 * 0x18) & 0x00000000;
				 *(0x69540c + _v44 * 0x18) =  *(0x69540c + _v44 * 0x18) & 0x00000000;
				_t181 = _v44 * 0x18;
				 *(_t181 + 0x695400) =  *(_t181 + 0x695400) & 0x00000000;
				 *(_t181 + 0x695404) =  *(_t181 + 0x695404) & 0x00000000;
				_t52 = 0x695410 + _v44 * 0x18; // 0x695ae4
				_v60 =  *((intOrPtr*)( *_t52));
				_t186 =  *0x695af0; // 0x24b0b08
				_t54 = _t186 + 8; // 0x24b0f7c
				_t187 =  *_t54;
				_t282 = _v40;
				__eflags =  *(_t187 + _t282 * 8);
				if( *(_t187 + _t282 * 8) != 0) {
					L23:
					_t188 =  *0x695af0; // 0x24b0b08
					_t107 = _t188 + 8; // 0x24b0f7c
					_t283 = _v40;
					_v52 =  *((intOrPtr*)( *_t107 + _v40 * 8));
					_v36 = _v36 & 0x00000000;
					_v32 = _v32 & 0x00000000;
					__eflags = _a8;
					if(_a8 != 0) {
						_v100 =  *((intOrPtr*)( *_a4 + 8)) + 0xffff >> 0x10;
						__eflags = _a8 - _v100;
						if(_a8 >= _v100) {
							_push( *0x693500);
							_push(0x84);
							_push( *0x693504);
							E0068E82B(_t283);
						}
						_v104 = _v104 & 0x00000000;
						while(1) {
							__eflags = _v104 - _a8;
							if(_v104 >= _a8) {
								goto L30;
							}
							_v36 = _v36 + ( *(_v52 + _v104 * 4) & 0x7fffffff);
							_t227 = _v104 + 1;
							__eflags = _t227;
							_v104 = _t227;
						}
					}
					L30:
					_v56 = L0068A094(_t278, _t316, _t323, _a4,  *((intOrPtr*)( *_a4 + 4)) + _v36,  *(_v52 + _a8 * 4) & 0x7fffffff,  &_v32);
					__eflags = _v56;
					if(_v56 != 0) {
						_v48 = 0x10000;
						_t200 = _a8;
						_t285 = _v52;
						__eflags =  *(_t285 + _t200 * 4) & 0x80000000;
						if(( *(_t285 + _t200 * 4) & 0x80000000) != 0) {
							_t324 = _v56;
							_t287 = _v32 >> 2;
							_t290 = memcpy(_v60, _t324, _t287 << 2) & 0x00000003;
							__eflags = _t290;
							memcpy(_t324 + _t287 + _t287, _t324, _t290);
							goto L37;
						} else {
							_t214 =  &_v48;
							0x692aee(_v60, _t214, _v56, _v32);
							_v108 = _t214;
							__eflags = _v108;
							if(_v108 == 0) {
								L37:
								 *(0x695408 + _v44 * 0x18) = _a8;
								 *(0x69540c + _v44 * 0x18) =  *_a4;
								_t212 = 0x695400 + _v44 * 0x18;
								__eflags = _t212;
								GetSystemTimeAsFileTime(_t212);
								_t213 = _v60;
							} else {
								E0068EC88(_t285, ":BOX:ReadCompressedSection: decompresion failed with code %d", _v108);
								_t213 = 0;
							}
						}
					} else {
						_t213 = 0;
					}
				} else {
					_v88 =  *((intOrPtr*)( *_a4 + 8)) + 0xffff >> 0x10;
					_v84 = _v84 & 0x00000000;
					_v8 = _v8 & 0x00000000;
					_v112 = E0068E6F9(_t282, _v88 << 2);
					_v84 = _v112;
					_v92 = _v92 & 0x00000000;
					_v96 =  *((intOrPtr*)( *_a4 + 4)) - (_v88 << 2);
					_t243 = SetFilePointer(_a4[2], _v96, 0, 0);
					__eflags = _t243 - _v96;
					if(_t243 == _v96) {
						_t248 = ReadFile(_a4[2], _v84, _v88 << 2,  &_v92, 0);
						__eflags = _t248;
						if(_t248 != 0) {
							__eflags = _v92 - _v88 << 2;
							if(_v92 == _v88 << 2) {
								_t251 =  *0x695af0; // 0x24b0b08
								_t98 = _t251 + 8; // 0x24b0f7c
								 *((intOrPtr*)( *_t98 + _v40 * 8)) = _v84;
								_v84 = _v84 & 0x00000000;
								_v8 = _v8 | 0xffffffff;
								E0068A508(_v40);
								goto L23;
							} else {
								_v132 = _v132 & 0x00000000;
								0x690476( &_v20, 0xffffffff);
								_t213 = _v132;
							}
						} else {
							_v128 = _v128 & 0x00000000;
							0x690476( &_v20, 0xffffffff);
							_t213 = _v128;
						}
					} else {
						_v124 = _v124 & 0x00000000;
						0x690476( &_v20, 0xffffffff);
						_t213 = _v124;
					}
				}
				goto L38;
			}


























































                                                                                                                                                                                      0x0068a2d4
                                                                                                                                                                                      0x0068a2d6
                                                                                                                                                                                      0x0068a2db
                                                                                                                                                                                      0x0068a2e6
                                                                                                                                                                                      0x0068a2e7
                                                                                                                                                                                      0x0068a2ee
                                                                                                                                                                                      0x0068a2ef
                                                                                                                                                                                      0x0068a2f3
                                                                                                                                                                                      0x0068a2f4
                                                                                                                                                                                      0x0068a2f5
                                                                                                                                                                                      0x0068a2f9
                                                                                                                                                                                      0x0068a301
                                                                                                                                                                                      0x0068a307
                                                                                                                                                                                      0x0068a30a
                                                                                                                                                                                      0x0068a30e
                                                                                                                                                                                      0x0068a31b
                                                                                                                                                                                      0x0068a32a
                                                                                                                                                                                      0x0068a332
                                                                                                                                                                                      0x0068a358
                                                                                                                                                                                      0x0068a317
                                                                                                                                                                                      0x0068a317
                                                                                                                                                                                      0x0068a318
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068a334
                                                                                                                                                                                      0x0068a33a
                                                                                                                                                                                      0x0068a343
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068a345
                                                                                                                                                                                      0x0068a34b
                                                                                                                                                                                      0x0068a351
                                                                                                                                                                                      0x0068a351
                                                                                                                                                                                      0x0068a343
                                                                                                                                                                                      0x0068a664
                                                                                                                                                                                      0x0068a667
                                                                                                                                                                                      0x0068a672
                                                                                                                                                                                      0x0068a672
                                                                                                                                                                                      0x0068a35e
                                                                                                                                                                                      0x0068a364
                                                                                                                                                                                      0x0068a371
                                                                                                                                                                                      0x0068a371
                                                                                                                                                                                      0x0068a375
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068a37d
                                                                                                                                                                                      0x0068a386
                                                                                                                                                                                      0x0068a38c
                                                                                                                                                                                      0x0068a38e
                                                                                                                                                                                      0x0068a39e
                                                                                                                                                                                      0x0068a3a1
                                                                                                                                                                                      0x0068a3a1
                                                                                                                                                                                      0x0068a3a4
                                                                                                                                                                                      0x0068a3aa
                                                                                                                                                                                      0x0068a3ad
                                                                                                                                                                                      0x0068a3b3
                                                                                                                                                                                      0x0068a3b9
                                                                                                                                                                                      0x0068a390
                                                                                                                                                                                      0x0068a390
                                                                                                                                                                                      0x0068a396
                                                                                                                                                                                      0x0068a39c
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068a39c
                                                                                                                                                                                      0x0068a38e
                                                                                                                                                                                      0x0068a36d
                                                                                                                                                                                      0x0068a36d
                                                                                                                                                                                      0x0068a36e
                                                                                                                                                                                      0x0068a36e
                                                                                                                                                                                      0x0068a3c4
                                                                                                                                                                                      0x0068a3d1
                                                                                                                                                                                      0x0068a3db
                                                                                                                                                                                      0x0068a3de
                                                                                                                                                                                      0x0068a3e5
                                                                                                                                                                                      0x0068a3f2
                                                                                                                                                                                      0x0068a3fa
                                                                                                                                                                                      0x0068a3fd
                                                                                                                                                                                      0x0068a402
                                                                                                                                                                                      0x0068a402
                                                                                                                                                                                      0x0068a405
                                                                                                                                                                                      0x0068a408
                                                                                                                                                                                      0x0068a40c
                                                                                                                                                                                      0x0068a518
                                                                                                                                                                                      0x0068a518
                                                                                                                                                                                      0x0068a51d
                                                                                                                                                                                      0x0068a520
                                                                                                                                                                                      0x0068a526
                                                                                                                                                                                      0x0068a529
                                                                                                                                                                                      0x0068a52d
                                                                                                                                                                                      0x0068a531
                                                                                                                                                                                      0x0068a535
                                                                                                                                                                                      0x0068a547
                                                                                                                                                                                      0x0068a54d
                                                                                                                                                                                      0x0068a550
                                                                                                                                                                                      0x0068a552
                                                                                                                                                                                      0x0068a558
                                                                                                                                                                                      0x0068a55d
                                                                                                                                                                                      0x0068a563
                                                                                                                                                                                      0x0068a563
                                                                                                                                                                                      0x0068a568
                                                                                                                                                                                      0x0068a575
                                                                                                                                                                                      0x0068a578
                                                                                                                                                                                      0x0068a57b
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068a590
                                                                                                                                                                                      0x0068a571
                                                                                                                                                                                      0x0068a571
                                                                                                                                                                                      0x0068a572
                                                                                                                                                                                      0x0068a572
                                                                                                                                                                                      0x0068a575
                                                                                                                                                                                      0x0068a595
                                                                                                                                                                                      0x0068a5bc
                                                                                                                                                                                      0x0068a5bf
                                                                                                                                                                                      0x0068a5c3
                                                                                                                                                                                      0x0068a5cc
                                                                                                                                                                                      0x0068a5d3
                                                                                                                                                                                      0x0068a5d6
                                                                                                                                                                                      0x0068a5e1
                                                                                                                                                                                      0x0068a5e3
                                                                                                                                                                                      0x0068a61b
                                                                                                                                                                                      0x0068a623
                                                                                                                                                                                      0x0068a62a
                                                                                                                                                                                      0x0068a62a
                                                                                                                                                                                      0x0068a62d
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068a5e5
                                                                                                                                                                                      0x0068a5eb
                                                                                                                                                                                      0x0068a5f2
                                                                                                                                                                                      0x0068a5fa
                                                                                                                                                                                      0x0068a5fd
                                                                                                                                                                                      0x0068a601
                                                                                                                                                                                      0x0068a62f
                                                                                                                                                                                      0x0068a638
                                                                                                                                                                                      0x0068a649
                                                                                                                                                                                      0x0068a655
                                                                                                                                                                                      0x0068a655
                                                                                                                                                                                      0x0068a65b
                                                                                                                                                                                      0x0068a661
                                                                                                                                                                                      0x0068a603
                                                                                                                                                                                      0x0068a60b
                                                                                                                                                                                      0x0068a612
                                                                                                                                                                                      0x0068a612
                                                                                                                                                                                      0x0068a601
                                                                                                                                                                                      0x0068a5c5
                                                                                                                                                                                      0x0068a5c5
                                                                                                                                                                                      0x0068a5c5
                                                                                                                                                                                      0x0068a412
                                                                                                                                                                                      0x0068a422
                                                                                                                                                                                      0x0068a425
                                                                                                                                                                                      0x0068a429
                                                                                                                                                                                      0x0068a43a
                                                                                                                                                                                      0x0068a440
                                                                                                                                                                                      0x0068a443
                                                                                                                                                                                      0x0068a457
                                                                                                                                                                                      0x0068a467
                                                                                                                                                                                      0x0068a46d
                                                                                                                                                                                      0x0068a470
                                                                                                                                                                                      0x0068a4a1
                                                                                                                                                                                      0x0068a4a7
                                                                                                                                                                                      0x0068a4a9
                                                                                                                                                                                      0x0068a4ca
                                                                                                                                                                                      0x0068a4cd
                                                                                                                                                                                      0x0068a4e8
                                                                                                                                                                                      0x0068a4ed
                                                                                                                                                                                      0x0068a4f6
                                                                                                                                                                                      0x0068a4f9
                                                                                                                                                                                      0x0068a4fd
                                                                                                                                                                                      0x0068a501
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068a4cf
                                                                                                                                                                                      0x0068a4d1
                                                                                                                                                                                      0x0068a4d9
                                                                                                                                                                                      0x0068a4e0
                                                                                                                                                                                      0x0068a4e0
                                                                                                                                                                                      0x0068a4ab
                                                                                                                                                                                      0x0068a4ad
                                                                                                                                                                                      0x0068a4b5
                                                                                                                                                                                      0x0068a4bc
                                                                                                                                                                                      0x0068a4bc
                                                                                                                                                                                      0x0068a472
                                                                                                                                                                                      0x0068a474
                                                                                                                                                                                      0x0068a47c
                                                                                                                                                                                      0x0068a483
                                                                                                                                                                                      0x0068a483
                                                                                                                                                                                      0x0068a470
                                                                                                                                                                                      0x00000000

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0068A35E
                                                                                                                                                                                      • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0068A467
                                                                                                                                                                                      • ReadFile.KERNEL32(?,00000000,?,00000000,00000000), ref: 0068A4A1
                                                                                                                                                                                      Strings
                                                                                                                                                                                      • :BOX:ReadCompressedSection: decompresion failed with code %d, xrefs: 0068A606
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: File$Time$PointerReadSystem
                                                                                                                                                                                      • String ID: :BOX:ReadCompressedSection: decompresion failed with code %d
                                                                                                                                                                                      • API String ID: 988849968-1091814870
                                                                                                                                                                                      • Opcode ID: e67d7ca423477c9b3f92182f58ba8e87614acac0ca7e9c8822f92ccfd6b280fc
                                                                                                                                                                                      • Instruction ID: afde831c0cef287e00f9f0dce28d97f96fe95f7ff0716822c0202dce635f79bc
                                                                                                                                                                                      • Opcode Fuzzy Hash: e67d7ca423477c9b3f92182f58ba8e87614acac0ca7e9c8822f92ccfd6b280fc
                                                                                                                                                                                      • Instruction Fuzzy Hash: 88D12C71A00208DFDB14DF98D985AACB7F6FF18311F64821AE816EB7A1D734A985CF11
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068ED30, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 50%
                                                                                                                                                                                      			E0068ED30(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v32;
				char _v36;
				signed int _v40;
				void* __ebp;
				signed int _t20;
				void* _t27;
				signed int _t31;
				void* _t32;
				void* _t34;
				intOrPtr _t38;

				_push(0xffffffff);
				_push(0x693558);
				_push(0x69052c);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t38;
				_push(__ecx);
				_push(__ecx);
				_v32 = _v32 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t20 = E0068E6F9(__ecx, 0x1000);
				_t31 = _t34;
				_v40 = _t20;
				_v32 = _v40;
				FormatMessageA(0x1300, 0, GetLastError(), 0x400,  &_v36, 0, 0);
				_push(_a8);
				_push(_a4);
				_push(_v36);
				wsprintfA(_v32, "windows error %s  at %s(%d)");
				E0068EAC6(_t31, _v32);
				_pop(_t32);
				_v8 = _v8 | 0xffffffff;
				_t27 = E0068EDC4(_t32);
				 *[fs:0x0] = _v20;
				return _t27;
			}















                                                                                                                                                                                      0x0068ed33
                                                                                                                                                                                      0x0068ed35
                                                                                                                                                                                      0x0068ed3a
                                                                                                                                                                                      0x0068ed45
                                                                                                                                                                                      0x0068ed46
                                                                                                                                                                                      0x0068ed4d
                                                                                                                                                                                      0x0068ed4e
                                                                                                                                                                                      0x0068ed55
                                                                                                                                                                                      0x0068ed59
                                                                                                                                                                                      0x0068ed5d
                                                                                                                                                                                      0x0068ed66
                                                                                                                                                                                      0x0068ed6b
                                                                                                                                                                                      0x0068ed6c
                                                                                                                                                                                      0x0068ed72
                                                                                                                                                                                      0x0068ed90
                                                                                                                                                                                      0x0068ed96
                                                                                                                                                                                      0x0068ed99
                                                                                                                                                                                      0x0068ed9c
                                                                                                                                                                                      0x0068eda7
                                                                                                                                                                                      0x0068edb3
                                                                                                                                                                                      0x0068edb8
                                                                                                                                                                                      0x0068edb9
                                                                                                                                                                                      0x0068edbd
                                                                                                                                                                                      0x0068ede6
                                                                                                                                                                                      0x0068edf1

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetLastError.KERNEL32(00000400,00000000,00000000,00000000), ref: 0068ED82
                                                                                                                                                                                      • FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 0068ED90
                                                                                                                                                                                      • wsprintfA.USER32 ref: 0068EDA7
                                                                                                                                                                                        • Part of subcall function 0068EAC6: EnterCriticalSection.KERNEL32(024B0440), ref: 0068EAF7
                                                                                                                                                                                        • Part of subcall function 0068EAC6: GetModuleHandleA.KERNEL32(00000000), ref: 0068EB33
                                                                                                                                                                                        • Part of subcall function 0068EAC6: MessageBoxA.USER32 ref: 0068EC40
                                                                                                                                                                                        • Part of subcall function 0068EAC6: GetCurrentProcess.KERNEL32(00000000,?,?,00000000), ref: 0068EC48
                                                                                                                                                                                        • Part of subcall function 0068EAC6: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 0068EC4F
                                                                                                                                                                                        • Part of subcall function 0068EDC4: LocalFree.KERNEL32(00000000,0068EDC2), ref: 0068EDCD
                                                                                                                                                                                      Strings
                                                                                                                                                                                      • windows error %s at %s(%d), xrefs: 0068ED9F
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: MessageProcess$CriticalCurrentEnterErrorFormatFreeHandleLastLocalModuleSectionTerminatewsprintf
                                                                                                                                                                                      • String ID: windows error %s at %s(%d)
                                                                                                                                                                                      • API String ID: 1873294848-562281301
                                                                                                                                                                                      • Opcode ID: 3ce10c325d7201445262765afa2c14ea25fb1da23ccf1d3949ef13268116b5a6
                                                                                                                                                                                      • Instruction ID: 94ea3fc161b59d92e7cd4ae2c5e1241a64dab3a4fbd72e82f6a9431f30fa2eac
                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ce10c325d7201445262765afa2c14ea25fb1da23ccf1d3949ef13268116b5a6
                                                                                                                                                                                      • Instruction Fuzzy Hash: 18117072A44214FFDF01AF94DC06FEDBBBAFB08B62F104219F221A56D1C7B55A048B65
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068D8ED, Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 82%
                                                                                                                                                                                      			E0068D8ED(void* __ecx, void* __eflags, intOrPtr _a4) {
				CHAR* _v8;
				void* _v12;
				CHAR* _v16;
				struct _WIN32_FIND_DATAA _v340;
				CHAR* _v344;
				CHAR* _t17;
				CHAR* _t18;
				int _t21;
				void* _t49;
				void* _t50;
				void* _t51;

				_t17 = E0068EDF2(__ecx, 0xffffffff, 0, _a4);
				_t51 = _t50 + 0xc;
				_v8 = _t17;
				_t18 = E0068E6F9(__ecx, 0x105);
				_pop(0);
				_v344 = _t18;
				_v16 = _v344;
				_t21 = FindFirstFileA(_v8,  &_v340);
				_v12 = _t21;
				if(_v12 != 0) {
					do {
						GetTempPathA(0x104, _v16);
						asm("repne scasb");
						_t49 =  &(_v340.cFileName) -  !0xffffffff;
						asm("repne scasb");
						memcpy(_v16 - 1, _t49,  !0xffffffff >> 2 << 2);
						memcpy(_t49 + 0x175b75a, _t49, 1);
						_t51 = _t51 + 0x18;
						DeleteFileA(_v16);
						_t21 = FindNextFileA(_v12,  &_v340);
					} while (_t21 != 0);
				}
				return _t21;
			}














                                                                                                                                                                                      0x0068d900
                                                                                                                                                                                      0x0068d905
                                                                                                                                                                                      0x0068d908
                                                                                                                                                                                      0x0068d910
                                                                                                                                                                                      0x0068d915
                                                                                                                                                                                      0x0068d916
                                                                                                                                                                                      0x0068d922
                                                                                                                                                                                      0x0068d92f
                                                                                                                                                                                      0x0068d935
                                                                                                                                                                                      0x0068d93c
                                                                                                                                                                                      0x0068d93e
                                                                                                                                                                                      0x0068d946
                                                                                                                                                                                      0x0068d95a
                                                                                                                                                                                      0x0068d960
                                                                                                                                                                                      0x0068d96b
                                                                                                                                                                                      0x0068d973
                                                                                                                                                                                      0x0068d97a
                                                                                                                                                                                      0x0068d97a
                                                                                                                                                                                      0x0068d97f
                                                                                                                                                                                      0x0068d98f
                                                                                                                                                                                      0x0068d995
                                                                                                                                                                                      0x0068d93e
                                                                                                                                                                                      0x0068d99d

                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0068EDF2: GetCurrentProcessId.KERNEL32(?,?,00000084,00000000,?,?,?,00000084), ref: 0068EE33
                                                                                                                                                                                        • Part of subcall function 0068EDF2: GetTempPathA.KERNEL32(00000104,?,?,?,00000084,00000000), ref: 0068EE84
                                                                                                                                                                                        • Part of subcall function 0068EDF2: wsprintfA.USER32 ref: 0068EEC1
                                                                                                                                                                                        • Part of subcall function 0068EDF2: CharUpperBuffA.USER32(?,?,?,?,?,00000000), ref: 0068EF30
                                                                                                                                                                                      • FindFirstFileA.KERNEL32(?,?,?,?,00000084), ref: 0068D92F
                                                                                                                                                                                      • GetTempPathA.KERNEL32(00000104,00000000,?,?,00000084), ref: 0068D946
                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000,?,?,00000084), ref: 0068D97F
                                                                                                                                                                                      • FindNextFileA.KERNEL32(00000000,?,?,?,00000084), ref: 0068D98F
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: File$FindPathTemp$BuffCharCurrentDeleteFirstNextProcessUpperwsprintf
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3474902253-0
                                                                                                                                                                                      • Opcode ID: d12be983f79cdb192096b87e65848e09cb08ef1c25836017d9f94703ee233388
                                                                                                                                                                                      • Instruction ID: 7636debc61b5fdca0d03105b20446740356eb0f7c7c08e5953e8ecb4ef76177d
                                                                                                                                                                                      • Opcode Fuzzy Hash: d12be983f79cdb192096b87e65848e09cb08ef1c25836017d9f94703ee233388
                                                                                                                                                                                      • Instruction Fuzzy Hash: 05118271A00118EFDF149FB8DC49ADEBBBAEB84315F1042A9F525A62E0DB704E848B54
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00690DFF, Relevance: 5.8, Strings: 4, Instructions: 768COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      • invalid bit length repeat, xrefs: 006915F8
                                                                                                                                                                                      • too many length or distance symbols, xrefs: 0069155F
                                                                                                                                                                                      • invalid stored block lengths, xrefs: 006914A5
                                                                                                                                                                                      • invalid block type, xrefs: 00690EB8
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: invalid bit length repeat$invalid block type$invalid stored block lengths$too many length or distance symbols
                                                                                                                                                                                      • API String ID: 0-26694007
                                                                                                                                                                                      • Opcode ID: 1650f3dfa99bcd25bed48180fa0fd58161dee78b2e53bd540bc566e5bc44926c
                                                                                                                                                                                      • Instruction ID: fd87748a3076ceb0584b8bf02790cff3cf05ece0762af86fc8f8c9f1823e6ad0
                                                                                                                                                                                      • Opcode Fuzzy Hash: 1650f3dfa99bcd25bed48180fa0fd58161dee78b2e53bd540bc566e5bc44926c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 406215B1A00206DFCF54CF58C980AADBBF6FF49310F2585AAE85A9B755D730DA81CB50
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00414938, Relevance: 5.4, APIs: 4, Instructions: 405memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualAlloc.KERNEL32(00000000,00004000,00001000,00000040,00000000,00414D96,B70F0AF2,?,?,00000000), ref: 00414A7E
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                                      • Opcode ID: 99a594d28f348d31d1c2591101f464551af04c0f05e6109c2015bbfed6a449a2
                                                                                                                                                                                      • Instruction ID: 8ce194ba518936a4b333fd011f462e0e5ff98d913f679c6ccc15bf9a6c6b4d61
                                                                                                                                                                                      • Opcode Fuzzy Hash: 99a594d28f348d31d1c2591101f464551af04c0f05e6109c2015bbfed6a449a2
                                                                                                                                                                                      • Instruction Fuzzy Hash: 830297B4E0020A8FDB44DF99D486AAEBBF1FF88314F158166E604AB355D734E885CF94
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00408BAC, Relevance: 4.6, APIs: 3, Instructions: 76nativeCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetWindowLongA.USER32(?,000000EB), ref: 00408BEF
                                                                                                                                                                                      • GetWindowLongA.USER32(?,000000EB), ref: 00408C4B
                                                                                                                                                                                      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00408C68
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Window$Long$NtdllProc_
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3674618424-0
                                                                                                                                                                                      • Opcode ID: d94f093f6bbe880ab3f5af4fe66c9566d624e6b01ed229cb257ddcc8ef6add43
                                                                                                                                                                                      • Instruction ID: edaaff813c6da162dbd22a2388240dccd6d38522ba436c2451ccc983b7c183e0
                                                                                                                                                                                      • Opcode Fuzzy Hash: d94f093f6bbe880ab3f5af4fe66c9566d624e6b01ed229cb257ddcc8ef6add43
                                                                                                                                                                                      • Instruction Fuzzy Hash: B821C57260D249AEFB20DE68DA44B6B37B8DB05350F10487AF581E72C1DE39E852C739
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068F6E2, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • EnterCriticalSection.KERNEL32(024B0458), ref: 0068F713
                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0068F738
                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0028EF6E), ref: 0068F748
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: ExceptionFilterUnhandled$CriticalEnterSection
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2707260832-0
                                                                                                                                                                                      • Opcode ID: c8cb39db758c780b7afe26a4f0328cfe34260d658491bb3760c95b1b090d08ea
                                                                                                                                                                                      • Instruction ID: 16602493a8c0b792393aeeaf27a46c263d804042018c12da5cf1d252690eb612
                                                                                                                                                                                      • Opcode Fuzzy Hash: c8cb39db758c780b7afe26a4f0328cfe34260d658491bb3760c95b1b090d08ea
                                                                                                                                                                                      • Instruction Fuzzy Hash: D31133B2904214AFDF10EF98EC45B9EBBBAFB04760F10462AF111E66D0D7359900CB64
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042E204, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • FindResourceA.KERNEL32(00400000,TMADEXCEPT,0000000A), ref: 0042E20C
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FindResource
                                                                                                                                                                                      • String ID: TMADEXCEPT
                                                                                                                                                                                      • API String ID: 1635176832-1465931417
                                                                                                                                                                                      • Opcode ID: 8f4e9b681f455ee32d42f8674e9e35b3b176330d2b4250c9702126cd4e3cec6c
                                                                                                                                                                                      • Instruction ID: c725b7d58626e53fe214e60cda4a1b434475b4e0886b49ac211c9a0d1a7f6f8c
                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f4e9b681f455ee32d42f8674e9e35b3b176330d2b4250c9702126cd4e3cec6c
                                                                                                                                                                                      • Instruction Fuzzy Hash: A2900244FC431060D85031A21C47F09100C2751B09FD045DA31067A1C344AD5500047B
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0040AB10, Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetThreadLocale.KERNEL32(0000000E,?,00000002,?,0040AD3E,-00000004,00000064,00000000,00000400,00000000,00000000,0040ADA1,?,?,00000000,00000000), ref: 0040AB23
                                                                                                                                                                                      • GetLocaleInfoA.KERNEL32(00000000,0000000E,?,00000002,?,0040AD3E,-00000004,00000064,00000000,00000400,00000000,00000000,0040ADA1,?,?,00000000), ref: 0040AB29
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Locale$InfoThread
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 4232894706-0
                                                                                                                                                                                      • Opcode ID: 1581144e534d70f8741df6b7492c8bc470a485f2353277b0e8b8dc98a3a0e48c
                                                                                                                                                                                      • Instruction ID: 92e52b635c2661cc65d96c96b3cbcad8bfe540f6b8f141e79983f72d97bbcf83
                                                                                                                                                                                      • Opcode Fuzzy Hash: 1581144e534d70f8741df6b7492c8bc470a485f2353277b0e8b8dc98a3a0e48c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 5EE08C8860D3C1ACE20163746A06B363EAC0B61200F08086AA784EE2D7D27ED009E33B
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042B7EC, Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,0042E75C,00000000,0042E7BA,?,00000000), ref: 0042B800
                                                                                                                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000,?,00000001,00000000,0042E75C,00000000,0042E7BA,?,00000000), ref: 0042B80C
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: DescriptorSecurity$DaclInitialize
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 625223987-0
                                                                                                                                                                                      • Opcode ID: 392f2544300e24aa619eba52425cbbbc4ee90af40d326533f65ddcadeb52df08
                                                                                                                                                                                      • Instruction ID: 1e65df1025e7ff0c97246af645b30fa6adfadddd347ce977fd0d86ba3c67559b
                                                                                                                                                                                      • Opcode Fuzzy Hash: 392f2544300e24aa619eba52425cbbbc4ee90af40d326533f65ddcadeb52df08
                                                                                                                                                                                      • Instruction Fuzzy Hash: E6D0C7B06443006AE7149F264CC5F11B5995B84710F25C26571146F2E2C5B554404514
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0069251E, Relevance: 1.6, Strings: 1, Instructions: 334COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID: $i
                                                                                                                                                                                      • API String ID: 0-565685446
                                                                                                                                                                                      • Opcode ID: 6310859695cc467afef26f9f49b3249037e8dba6b9f8126350a8d7da67942f8a
                                                                                                                                                                                      • Instruction ID: 9a094c36a2cc5c230144d6614a0562df01995e6f1b336d0058b2eb2cc78c8b66
                                                                                                                                                                                      • Opcode Fuzzy Hash: 6310859695cc467afef26f9f49b3249037e8dba6b9f8126350a8d7da67942f8a
                                                                                                                                                                                      • Instruction Fuzzy Hash: 11D1F871E0021A9FCF18CFA9C8A05EDBBB6FF88314F25856AD859A7750D730A945CF90
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00435178, Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FreeLocal
                                                                                                                                                                                      • String ID: SmtpPassword
                                                                                                                                                                                      • API String ID: 2826327444-233277553
                                                                                                                                                                                      • Opcode ID: 21f18b2ea31c5c42d0c93fd81d80443debf251cbece0659f505c40d36a055042
                                                                                                                                                                                      • Instruction ID: 97eff7d747fcc2a4b0bab5ae3738ff74258ae54767f3f11d40432b28e1b2cf2e
                                                                                                                                                                                      • Opcode Fuzzy Hash: 21f18b2ea31c5c42d0c93fd81d80443debf251cbece0659f505c40d36a055042
                                                                                                                                                                                      • Instruction Fuzzy Hash: 96E09270604B08AFDB09EB66CC5291DB7E8EB8D700BB2447AF80093681E7786E009528
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00416554, Relevance: .4, Instructions: 409COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 167120f7ed2d6992adefbe59981dc2065f01ef566f69623b4a20c52cc85b5175
                                                                                                                                                                                      • Instruction ID: 7ab1b88b942e2e5cfad5c6d41d3f71dc0e9de7698ddaaf108bcaeb95f252e365
                                                                                                                                                                                      • Opcode Fuzzy Hash: 167120f7ed2d6992adefbe59981dc2065f01ef566f69623b4a20c52cc85b5175
                                                                                                                                                                                      • Instruction Fuzzy Hash: 2F020475E00209DFCB10DFA8C580AEEBBF5BB58310F25829AD454A7355D738EA81CB69
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0040D97C, Relevance: .4, Instructions: 385COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: dc29a93fa4cdfe99f934c5bb863e08a313b77466a7da11ebd17416a3c6c4674e
                                                                                                                                                                                      • Instruction ID: 822653e6f62be8270055beeb766ee20ccf1534a9ecbc6b85354842dc1a65ed13
                                                                                                                                                                                      • Opcode Fuzzy Hash: dc29a93fa4cdfe99f934c5bb863e08a313b77466a7da11ebd17416a3c6c4674e
                                                                                                                                                                                      • Instruction Fuzzy Hash: 54F15B74A006459FDB08CF68C484E663BB2FF5A364F1581A2E845DF7A1C338ED85CB89
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004177E8, Relevance: .3, Instructions: 267COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 9888bbba5f0e0de4e3f2d9ecbf770293a18013b583cd864a32af9e516857be85
                                                                                                                                                                                      • Instruction ID: 5fc80d907217051bb88195e99ffc06241d774eb93a452ad80229ab199acb8a6f
                                                                                                                                                                                      • Opcode Fuzzy Hash: 9888bbba5f0e0de4e3f2d9ecbf770293a18013b583cd864a32af9e516857be85
                                                                                                                                                                                      • Instruction Fuzzy Hash: 8DD1FD75D442A5AFCB52CFFDD8D069EFBB0BF0E208F8A41D5D6902B242C2316651CBA4
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00415330, Relevance: .3, Instructions: 252COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: abea0cec4107322f6e29c629e5f907af4dac5294d258ae93bd98213ee8de7ef9
                                                                                                                                                                                      • Instruction ID: 12e859728a76b2c6e065d520079ea38d53412a1d17148bf21f1969980f5b0b1b
                                                                                                                                                                                      • Opcode Fuzzy Hash: abea0cec4107322f6e29c629e5f907af4dac5294d258ae93bd98213ee8de7ef9
                                                                                                                                                                                      • Instruction Fuzzy Hash: B4B18034A0464ACFCB09CF68D4949EDBBF1FF5A310B2841AED9969B352C734A981CF54
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00418068, Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 56b74fb982cafef0eca99581db3cb45b3aae44829218796c5d964cc82a860a7a
                                                                                                                                                                                      • Instruction ID: a43e9ab9e1f60092882c94adf48ea3574312058ca74c03a9c54b8ada1a97dc23
                                                                                                                                                                                      • Opcode Fuzzy Hash: 56b74fb982cafef0eca99581db3cb45b3aae44829218796c5d964cc82a860a7a
                                                                                                                                                                                      • Instruction Fuzzy Hash: 1931226B6196D206C306863E4891361AF935BEA10475DC2EAD4D8CF30BE83BC94BD391
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004247D8, Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID:
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                      • Opcode ID: 78794b09017843c3fddcb147730b0356f9c549d013e0f7875dd4d4cb7f6604a2
                                                                                                                                                                                      • Instruction ID: 42a81a517653a3599bf1dcb86354042b88e9b61beb18ee084ea8b39880a0739a
                                                                                                                                                                                      • Opcode Fuzzy Hash: 78794b09017843c3fddcb147730b0356f9c549d013e0f7875dd4d4cb7f6604a2
                                                                                                                                                                                      • Instruction Fuzzy Hash: 5621D42572D6E41AD306667968903BFBFD2DFD7310FA9897FE0D982743C0288406A35B
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0043DDC8, Relevance: 33.6, APIs: 17, Strings: 2, Instructions: 315windowCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0042C174: GetVersion.KERNEL32(?,00000001,00445D18,00000010,00000000,00445EC5,?,T$E,005FA000,00000000), ref: 0042C178
                                                                                                                                                                                        • Part of subcall function 0042C174: Sleep.KERNEL32(0000000A,?,00000001,00445D18,00000010,00000000,00445EC5,?,T$E,005FA000,00000000), ref: 0042C1D6
                                                                                                                                                                                      • MessageBeep.USER32(00000000), ref: 0043DE14
                                                                                                                                                                                      • SetMapMode.GDI32(?,00000001), ref: 0043DE66
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: BeepMessageModeSleepVersion
                                                                                                                                                                                      • String ID: B$Courier New
                                                                                                                                                                                      • API String ID: 1322057345-994959992
                                                                                                                                                                                      • Opcode ID: e5d2a6c4da25905a38c1fa769ca4b30f337a646c21e8be349fb52767ab525cca
                                                                                                                                                                                      • Instruction ID: 98e2f33d15795d7243c5de33b3c325a129f29fa12189380b5d33c364f1e0699c
                                                                                                                                                                                      • Opcode Fuzzy Hash: e5d2a6c4da25905a38c1fa769ca4b30f337a646c21e8be349fb52767ab525cca
                                                                                                                                                                                      • Instruction Fuzzy Hash: 97B1EF75F042089FDB10EBE9CC86B9EB7B9AB48304F50457AB604F72C1D778A9058B69
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0043E984, Relevance: 28.8, APIs: 19, Instructions: 320windowCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • IsWindowEnabled.USER32(?), ref: 0043E9D6
                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 0043EA12
                                                                                                                                                                                      • DrawFrameControl.USER32(?,?,00000004,00000210), ref: 0043EA46
                                                                                                                                                                                      • DrawFrameControl.USER32(?,?,00000004,00000010), ref: 0043EA5C
                                                                                                                                                                                      • GetSysColor.USER32(00000015), ref: 0043EA63
                                                                                                                                                                                      • CreateSolidBrush.GDI32(?), ref: 0043EA73
                                                                                                                                                                                      • FillRect.USER32(?,?,00000000), ref: 0043EA86
                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 0043EA8C
                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 0043EA93
                                                                                                                                                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 0043EBA8
                                                                                                                                                                                      • DrawFocusRect.USER32(?,?), ref: 0043EBB8
                                                                                                                                                                                      • GetWindowTextA.USER32(?,?,0000001E), ref: 0043EBF5
                                                                                                                                                                                      • IsWindowEnabled.USER32(?), ref: 0043EC36
                                                                                                                                                                                      • SetTextColor.GDI32(?,00FFFFFF), ref: 0043EC4B
                                                                                                                                                                                      • TextOutA.GDI32(?,?,00000005,?,00000000), ref: 0043EC64
                                                                                                                                                                                      • GetSysColor.USER32(00000015), ref: 0043EC6B
                                                                                                                                                                                      • SetTextColor.GDI32(?,00000000), ref: 0043EC78
                                                                                                                                                                                      • SetTextColor.GDI32(?,?), ref: 0043EC8A
                                                                                                                                                                                      • TextOutA.GDI32(?,?,-00000004,?,00000000), ref: 0043ECA3
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: ColorText$Rect$DrawWindow$ControlEnabledFrame$BrushClientCreateDeleteFillFocusInflateObjectSolid
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1775932466-0
                                                                                                                                                                                      • Opcode ID: 6154e2c5ab1506d7d424ecc0a5e8c93ef5f7bf6b1839e053ed8480b06f8fc840
                                                                                                                                                                                      • Instruction ID: 94e7de3dc99eb8f4b12f39fc997464827c4995fea9c8e56a366c45d8b3c22fc4
                                                                                                                                                                                      • Opcode Fuzzy Hash: 6154e2c5ab1506d7d424ecc0a5e8c93ef5f7bf6b1839e053ed8480b06f8fc840
                                                                                                                                                                                      • Instruction Fuzzy Hash: 5DC13B76A00208EFDB00DFA9C985EDEB7F9AF48304F154166F914EB291D638EE41CB55
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004427A4, Relevance: 26.7, APIs: 3, Strings: 12, Instructions: 472windowCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004427E9
                                                                                                                                                                                      • SendMessageA.USER32(?,00001003,00000001,00000000), ref: 00442A91
                                                                                                                                                                                      • SendMessageA.USER32(00000000,00000030,?,00000000), ref: 00442CB6
                                                                                                                                                                                        • Part of subcall function 00442408: SendMessageA.USER32(?,00000030,?,00000000), ref: 004424D6
                                                                                                                                                                                        • Part of subcall function 00442408: SendMessageA.USER32(?,00001003,00000001,?), ref: 004424F3
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: MessageSend
                                                                                                                                                                                      • String ID: ,C$>> $>> internal$>> will be$Edit$MZP$cpu registers$disassembling$modules$processes$pC$stack dump
                                                                                                                                                                                      • API String ID: 3850602802-3811169761
                                                                                                                                                                                      • Opcode ID: 9ae8e5fcb9daf7abe0b852f7c8a73c803076505817dc60ea0d3eae4c81696248
                                                                                                                                                                                      • Instruction ID: f7b9eb70678656749e8d53d96f02107b78b94ab58cfd427e0bdd8fbe2907a797
                                                                                                                                                                                      • Opcode Fuzzy Hash: 9ae8e5fcb9daf7abe0b852f7c8a73c803076505817dc60ea0d3eae4c81696248
                                                                                                                                                                                      • Instruction Fuzzy Hash: ED121975A0020ADFDB00EB94C581EEEB7B9FF48304F604166F915AB391DB78AE06CB54
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0043E624, Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 237COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetWindowLongA.USER32(?,000000EB), ref: 0043E669
                                                                                                                                                                                      • FindResourceA.KERNEL32(?,00000000,00000002), ref: 0043E69D
                                                                                                                                                                                      • SizeofResource.KERNEL32(?,00000000,?,00000000,00000002,?,000000EB,00000000,0043E8E5), ref: 0043E6AE
                                                                                                                                                                                      • LoadResource.KERNEL32(?,00000000,?,00000000,?,00000000,00000002,?,000000EB,00000000,0043E8E5), ref: 0043E6C8
                                                                                                                                                                                      • LockResource.KERNEL32(00000000), ref: 0043E6F3
                                                                                                                                                                                      • FreeResource.KERNEL32(00000000,00000000), ref: 0043E727
                                                                                                                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 0043E826
                                                                                                                                                                                      • CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 0043E849
                                                                                                                                                                                      • GdiFlush.GDI32(00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0043E85A
                                                                                                                                                                                      • GdiFlush.GDI32(00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0043E873
                                                                                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0043E87A
                                                                                                                                                                                      • SelectObject.GDI32(00000000,?), ref: 0043E8A4
                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 0043E8AA
                                                                                                                                                                                      • DeleteDC.GDI32(00000000), ref: 0043E8B4
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Resource$Object$CreateDeleteFlushSelect$CompatibleFindFreeLoadLockLongSectionSizeofWindow
                                                                                                                                                                                      • String ID: mei
                                                                                                                                                                                      • API String ID: 2275757986-2477442943
                                                                                                                                                                                      • Opcode ID: 968a82e2796a9fd6aff9a999706c169787fc458f86d367647daebf81a791ac6d
                                                                                                                                                                                      • Instruction ID: d753d782d7a4ed4e856bbd41e1f2de5cfc8918e0438134dce9487d93f8f76548
                                                                                                                                                                                      • Opcode Fuzzy Hash: 968a82e2796a9fd6aff9a999706c169787fc458f86d367647daebf81a791ac6d
                                                                                                                                                                                      • Instruction Fuzzy Hash: 72816571E002095BDB14EF69CC81BAE77B9EF89304F15913AE500F73D6DA78E9018B94
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00423394, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 102threadwindowCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,GetCursorInfo), ref: 004233BC
                                                                                                                                                                                      • GetCursorPos.USER32(?), ref: 004233DB
                                                                                                                                                                                      • WindowFromPoint.USER32(?,?,00000000,user32.dll,GetCursorInfo), ref: 004233EA
                                                                                                                                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233F6
                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00423408
                                                                                                                                                                                      • AttachThreadInput.USER32(00000000,00000000,000000FF,?,?,00000000,user32.dll,GetCursorInfo), ref: 0042340E
                                                                                                                                                                                      • GetCursor.USER32(?,?,00000000,user32.dll,GetCursorInfo), ref: 00423413
                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00423422
                                                                                                                                                                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,00000000,user32.dll,GetCursorInfo), ref: 00423428
                                                                                                                                                                                      • GetIconInfo.USER32(?,?), ref: 0042343F
                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 00423450
                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 0042345D
                                                                                                                                                                                      • DrawIconEx.USER32(?,?,?,?,00000000,00000000,00000000,00000000,00000003), ref: 00423491
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Thread$AttachCurrentCursorDeleteIconInputObjectWindow$DrawFromHandleInfoModulePointProcess
                                                                                                                                                                                      • String ID: GetCursorInfo$user32.dll
                                                                                                                                                                                      • API String ID: 2809598821-4002949112
                                                                                                                                                                                      • Opcode ID: dd4ac13b24d6eb81e6b845c09c47d92d2827bd99732520e98d9e44e94b4b934e
                                                                                                                                                                                      • Instruction ID: 3a954f184e4d703981de476d3edde36987b02e2d82715ead4c857b0a80b75d47
                                                                                                                                                                                      • Opcode Fuzzy Hash: dd4ac13b24d6eb81e6b845c09c47d92d2827bd99732520e98d9e44e94b4b934e
                                                                                                                                                                                      • Instruction Fuzzy Hash: BB313C71F0431A6ADB11EEFA9C85B9F77BC9F04345F50416ABA00B7281DA7CEA008769
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0043BC94, Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 403COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: closesocket
                                                                                                                                                                                      • String ID: --www.madshi.net_multipart_boundary--$ HTTP/1.1$Authorization: Basic $Connection: close$Content-Disposition: form-data; name="$Content-Length: $Content-Type: multipart/form-data; boundary=$From: $Host: $POST $Pragma: no-cache$User-Agent: madExcept/3.0$www.madshi.net_multipart_boundary
                                                                                                                                                                                      • API String ID: 2781271927-3628904027
                                                                                                                                                                                      • Opcode ID: 520199f2089230f9e6d2361bbdaced5b79e242663719313899282ef317dd10e2
                                                                                                                                                                                      • Instruction ID: e685ab905e74a4c399274ef190aea09b3a71a631372c1315a452a7766d3a3ba8
                                                                                                                                                                                      • Opcode Fuzzy Hash: 520199f2089230f9e6d2361bbdaced5b79e242663719313899282ef317dd10e2
                                                                                                                                                                                      • Instruction Fuzzy Hash: 02F1D775A402089FCB00DF99C885A9EB7B5EF4C314F219166F904AB3A2CB74ED45CB94
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004172F0, Relevance: 21.4, APIs: 14, Instructions: 390filetimememoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00417415
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,?,00000040,?,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041743A
                                                                                                                                                                                      • GetFileTime.KERNEL32(00000000,00000000,00000000,B70F0B86,?,00000000,?,?,B70F0B82,00000000,00000040,?,00000040,?,00000000,00000000), ref: 004174E2
                                                                                                                                                                                      • FileTimeToLocalFileTime.KERNEL32(B70F0B86,B70F0B86,00000000,00000000,00000000,B70F0B86,?,00000000,?,?,B70F0B82,00000000,00000040,?,00000040,?), ref: 004174EF
                                                                                                                                                                                      • FileTimeToDosDateTime.KERNEL32(B70F0B86,B70F0B58,B70F0B56), ref: 00417500
                                                                                                                                                                                      • WriteFile.KERNEL32(?,B70F0B4C,0000001E,B70F0B82,00000000,?,00000000,00000000,00000001,00000000,B70F0B86,B70F0B58,B70F0B56,B70F0B86,B70F0B86,00000000), ref: 00417586
                                                                                                                                                                                      • WriteFile.KERNEL32(?,00000000,00000000,B70F0B82,00000000,?,B70F0B4C,0000001E,B70F0B82,00000000,?,00000000,00000000,00000001,00000000,B70F0B86), ref: 004175AF
                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,?,B70F0B82,00000000,?,00000000,00000000,B70F0B82,00000000,?,B70F0B4C,0000001E,B70F0B82,00000000,?), ref: 004175D6
                                                                                                                                                                                      • LocalFree.KERNEL32(?,00000000,?,?,B70F0B82,00000000,00000040,?,00000040,?,00000000,00000000,00000000,80000000,00000001,00000000), ref: 004175F7
                                                                                                                                                                                      • LocalFree.KERNEL32(?,00000040,?,00000040,?,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00417600
                                                                                                                                                                                      • WriteFile.KERNEL32(?,00000004,0000002E,B70F0B82,00000000,?,00000000,00000000,00000001), ref: 004176B5
                                                                                                                                                                                      • WriteFile.KERNEL32(?,00000000,00000000,B70F0B82,00000000,?,00000004,0000002E,B70F0B82,00000000,?,00000000,00000000,00000001), ref: 004176DE
                                                                                                                                                                                      • WriteFile.KERNEL32(?,B70F0B36,00000016,B70F0B82,00000000,?,00000000,00000000,00000001), ref: 00417717
                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000,?), ref: 00417747
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: File$Write$LocalTime$AllocFree$DateDelete
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 912391403-0
                                                                                                                                                                                      • Opcode ID: 770052da791951678017411fc381b3910285bc3c257de85469ff280a0904b08d
                                                                                                                                                                                      • Instruction ID: e1ad207f9c91cf2294538ed2b38fb518f8dcd0d8413a5682430c904c84897306
                                                                                                                                                                                      • Opcode Fuzzy Hash: 770052da791951678017411fc381b3910285bc3c257de85469ff280a0904b08d
                                                                                                                                                                                      • Instruction Fuzzy Hash: 19E12A70E04208ABDB10EBA9C885FDEB7F9AF48304F10446AF514FB291D779A945CB69
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00408954, Relevance: 21.2, APIs: 14, Instructions: 196COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • FindResourceA.KERNEL32(?,00000000,00000002), ref: 004089A1
                                                                                                                                                                                      • SizeofResource.KERNEL32(?,00000000,?,00000000,00000002,00000000,00408B97), ref: 004089B2
                                                                                                                                                                                      • LoadResource.KERNEL32(?,00000000,?,00000000,?,00000000,00000002,00000000,00408B97), ref: 004089CC
                                                                                                                                                                                      • LockResource.KERNEL32(00000000), ref: 004089F7
                                                                                                                                                                                      • FreeResource.KERNEL32(00000000,00000000), ref: 00408A2B
                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 00408A32
                                                                                                                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 00408AE4
                                                                                                                                                                                      • CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 00408B07
                                                                                                                                                                                      • GdiFlush.GDI32(00000000,00000000), ref: 00408B18
                                                                                                                                                                                      • GdiFlush.GDI32(00000000,00000000), ref: 00408B31
                                                                                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00408B38
                                                                                                                                                                                      • SelectObject.GDI32(00000000,?), ref: 00408B5E
                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 00408B64
                                                                                                                                                                                      • DeleteDC.GDI32(00000000), ref: 00408B6E
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Resource$Object$CreateDeleteFlushSelect$ColorCompatibleFindFreeLoadLockSectionSizeof
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3833887070-0
                                                                                                                                                                                      • Opcode ID: 6d458f9748dfa3ff53c409fdc410263c719e22e04ef82bb67f5a592aab4e7371
                                                                                                                                                                                      • Instruction ID: 94925152a82b1ca40a31ae821374ae76607cd8069cefb700c532e80d703e74a9
                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d458f9748dfa3ff53c409fdc410263c719e22e04ef82bb67f5a592aab4e7371
                                                                                                                                                                                      • Instruction Fuzzy Hash: BC51E272E006155BDB11EB69CC42BBFB6B9EF85314F15413AE900BB3C1DA38AD0187E9
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042C4E4, Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 165timeCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetLocalTime.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,0042C70F,?,00000000,00000001,00000000,00000000,%exceptMsg%,?,004368E8), ref: 0042C5B6
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: LocalTime
                                                                                                                                                                                      • String ID: %LF%$%appname%$%bugReport%$%date%$%datetime%$%exceptMsg%$%exceptMsg%$%modname%$%time%$Unknown$hC
                                                                                                                                                                                      • API String ID: 481472006-3650041594
                                                                                                                                                                                      • Opcode ID: 5a78b00ff3505b4748fa4d10ee0d7a73b1dde4bb43795c20253abfaeba0d561b
                                                                                                                                                                                      • Instruction ID: d6963eb2e8e9c77f07b0f853f71806fe7170025e4cda01f7872aee1baf3fb612
                                                                                                                                                                                      • Opcode Fuzzy Hash: 5a78b00ff3505b4748fa4d10ee0d7a73b1dde4bb43795c20253abfaeba0d561b
                                                                                                                                                                                      • Instruction Fuzzy Hash: 3D510375B40129ABDB00EB95D892BDEB7B5EFC8704F90803AF500B7281D77D9D058BA9
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00424A84, Relevance: 21.1, APIs: 14, Instructions: 122COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: LineMove$Object$ColorSelect$CreateDelete
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1677892028-0
                                                                                                                                                                                      • Opcode ID: 9188ecbb3ec32e414258cb6dd7562417e26cd9dfeb95da7e702f848956125cc0
                                                                                                                                                                                      • Instruction ID: 7d6027a4f17df77adf650f5abbc2aca914cae052f895d7a72586b5b95c30cfcc
                                                                                                                                                                                      • Opcode Fuzzy Hash: 9188ecbb3ec32e414258cb6dd7562417e26cd9dfeb95da7e702f848956125cc0
                                                                                                                                                                                      • Instruction Fuzzy Hash: 95310FB2B04219BFD710EEAECC85EAF7BACDB44354F004426B915E7242D638ED10C7A5
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004062D4, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136stringCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,00000008,00000000,005FA08C,?,00406534,00000000,00406591,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004062F1
                                                                                                                                                                                      • lstrcpyn.KERNEL32(?,?,?,?,00406534,00000000,00406591,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406332
                                                                                                                                                                                      • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,00000008,00000000,005FA08C,?,00406534,00000000,00406591,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00406396
                                                                                                                                                                                      • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,00000008,00000000,005FA08C,?,00406534,00000000,00406591,?,80000001), ref: 004063CB
                                                                                                                                                                                      • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,00000008,00000000,005FA08C,?,00406534), ref: 004063F7
                                                                                                                                                                                      • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,00000008,00000000), ref: 0040642B
                                                                                                                                                                                      • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,00000008), ref: 00406437
                                                                                                                                                                                      • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00406459
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: lstrcpyn$lstrlen$HandleModule
                                                                                                                                                                                      • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                                                                                                      • API String ID: 3464091497-1565342463
                                                                                                                                                                                      • Opcode ID: c5aa2957b067cb8e48b75fab92ed1dd4f637dde9c7766486749e38ce8785b10c
                                                                                                                                                                                      • Instruction ID: dcb38ff0108a73db7a385731ee4ab17cf7e26b9cd380e4edd61c124c6fd04cf7
                                                                                                                                                                                      • Opcode Fuzzy Hash: c5aa2957b067cb8e48b75fab92ed1dd4f637dde9c7766486749e38ce8785b10c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 29419572900119AFDB10EAA9CC85EDFB7EDDF44314F1500BBA949F3292D6389F548B98
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00428C20, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 88windowregistryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • LoadCursorA.USER32(00000000,00007F00), ref: 00428C61
                                                                                                                                                                                      • RegisterClassA.USER32(000000C0), ref: 00428C6D
                                                                                                                                                                                      • CreateWindowExA.USER32(00000001,?,00000000,00C80000,00000000,00000000,000000C8,000000C8,?,00000000,MZP,00000000), ref: 00428CAB
                                                                                                                                                                                        • Part of subcall function 0040B834: VirtualAlloc.KERNEL32(00000000,00000011,00001000,00000040), ref: 0040B84A
                                                                                                                                                                                      • SetWindowLongA.USER32(?,000000FC,00000010), ref: 00428CE2
                                                                                                                                                                                      • GetSystemMenu.USER32(?,00000000,00000001,?,00000000,00C80000,00000000,00000000,000000C8,000000C8,?,00000000,MZP,00000000,00000000,00007F00), ref: 00428CF3
                                                                                                                                                                                      • RemoveMenu.USER32(00000000,0000F020,00000000,?,00000000,00000001,?,00000000,00C80000,00000000,00000000,000000C8,000000C8,?,00000000,MZP), ref: 00428D02
                                                                                                                                                                                      • RemoveMenu.USER32(00000000,0000F030,00000000,00000000,0000F020,00000000,?,00000000,00000001,?,00000000,00C80000,00000000,00000000,000000C8,000000C8), ref: 00428D0F
                                                                                                                                                                                      • RemoveMenu.USER32(00000000,0000F120,00000000,00000000,0000F030,00000000,00000000,0000F020,00000000,?,00000000,00000001,?,00000000,00C80000,00000000), ref: 00428D1C
                                                                                                                                                                                      • RemoveMenu.USER32(00000000,0000F000,00000000,00000000,0000F120,00000000,00000000,0000F030,00000000,00000000,0000F020,00000000,?,00000000,00000001,?), ref: 00428D29
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Menu$Remove$Window$AllocClassCreateCursorLoadLongRegisterSystemVirtual
                                                                                                                                                                                      • String ID: MZP$madNVAssistantWnd
                                                                                                                                                                                      • API String ID: 1475295263-1210305120
                                                                                                                                                                                      • Opcode ID: e027c326a916efd6a1735755b5b3f0b373b1305ac6e418cf9bdd0a5ace3b2d63
                                                                                                                                                                                      • Instruction ID: 455dac2dcebdfeaee4299419857f9b9f05eccf0c9824cea493ab2285a5ca29e2
                                                                                                                                                                                      • Opcode Fuzzy Hash: e027c326a916efd6a1735755b5b3f0b373b1305ac6e418cf9bdd0a5ace3b2d63
                                                                                                                                                                                      • Instruction Fuzzy Hash: 0D312E74B85204AFE710DB68CC86F9EB7E8EB08714F108165B904AF3D2C678ED408B99
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0040808C, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004080A4
                                                                                                                                                                                      • RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 004080B0
                                                                                                                                                                                      • RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 004080BF
                                                                                                                                                                                      • RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 004080CB
                                                                                                                                                                                      • SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004080E3
                                                                                                                                                                                      • SendMessageA.USER32(00000000,?,00000000,00000000), ref: 00408107
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: ClipboardFormatRegister$MessageSend$FindWindow
                                                                                                                                                                                      • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
                                                                                                                                                                                      • API String ID: 1416857345-3736581797
                                                                                                                                                                                      • Opcode ID: d647705f8095a8b39024e3ec9347c9d84d0d9289cdaf1dfed943fbf054974fda
                                                                                                                                                                                      • Instruction ID: 122986cd74cba8abc05e66c13d8c7e0325f67aa4a70c2a4d691c83d7a8a0f9ce
                                                                                                                                                                                      • Opcode Fuzzy Hash: d647705f8095a8b39024e3ec9347c9d84d0d9289cdaf1dfed943fbf054974fda
                                                                                                                                                                                      • Instruction Fuzzy Hash: 48114F71644301AFE7109F55C942B6AB7A8EF45310F20407AF884BF3C1DAB85C418BE9
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004222B4, Relevance: 17.7, APIs: 14, Instructions: 244memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,00046308), ref: 004222CD
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,00023184,00000040,00046308), ref: 004222DC
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,00023184,00000040,00023184,00000040,00046308), ref: 004222EB
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,00023184,00000040,00023184,00000040,00023184,00000040,00046308), ref: 004222FA
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,00023184,00000040,00023184,00000040,00023184,00000040,00023184,00000040,00046308), ref: 00422309
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,00001C00,00000040,00023184,00000040,00023184,00000040,00023184,00000040,00023184,00000040,00046308), ref: 00422318
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000800,00000040,00001C00,00000040,00023184,00000040,00023184,00000040,00023184,00000040,00023184,00000040,00046308), ref: 00422327
                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,00000040,00000800,00000040,00001C00,00000040,00023184,00000040,00023184,00000040,00023184,00000040,00023184,00000040,00046308), ref: 0042249F
                                                                                                                                                                                      • LocalFree.KERNEL32(?,00000000,00000040,00000800,00000040,00001C00,00000040,00023184,00000040,00023184,00000040,00023184,00000040,00023184,00000040,00046308), ref: 004224A8
                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,00000000,00000040,00000800,00000040,00001C00,00000040,00023184,00000040,00023184,00000040,00023184,00000040,00023184,00000040), ref: 00422537
                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,?,00000000,00000040,00000800,00000040,00001C00,00000040,00023184,00000040,00023184,00000040,00023184,00000040,00023184), ref: 00422540
                                                                                                                                                                                      • LocalFree.KERNEL32(00000020,?,?,?,00000000,00000040,00000800,00000040,00001C00,00000040,00023184,00000040,00023184,00000040,00023184,00000040), ref: 00422549
                                                                                                                                                                                      • LocalFree.KERNEL32(?,00000020,?,?,?,00000000,00000040,00000800,00000040,00001C00,00000040,00023184,00000040,00023184,00000040,00023184), ref: 00422552
                                                                                                                                                                                      • LocalFree.KERNEL32(00000020,?,00000020,?,?,?,00000000,00000040,00000800,00000040,00001C00,00000040,00023184,00000040,00023184,00000040), ref: 0042255B
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Local$AllocFree
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2012307162-0
                                                                                                                                                                                      • Opcode ID: d7ae0e2e0411c0e937f072bc19953d3a5651fdf6e59079f0dcd5ce8470d6580d
                                                                                                                                                                                      • Instruction ID: 3cf1ed9b833b69ccfd61709242b8401f1e039e7cfdc3fd41cd6853ee2e1c6009
                                                                                                                                                                                      • Opcode Fuzzy Hash: d7ae0e2e0411c0e937f072bc19953d3a5651fdf6e59079f0dcd5ce8470d6580d
                                                                                                                                                                                      • Instruction Fuzzy Hash: 56910670E00219ABCB00DFADD9859AEFBF4FF48304F50816AE514BB251D735AE118BA8
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00442E40, Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 242windowCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • SendMessageA.USER32(00000000,00001304,00000000,00000000), ref: 00443025
                                                                                                                                                                                      • SendMessageA.USER32(00000000,00001305,-00000001,?), ref: 0044304E
                                                                                                                                                                                      • SendMessageA.USER32(00000000,00001308,-00000001,00000000), ref: 00443090
                                                                                                                                                                                      • SendMessageA.USER32(00000000,00001307,00000000,?), ref: 0044312B
                                                                                                                                                                                      • InvalidateRect.USER32(00000000,00000000,00000000,00000000,00001304,00000000,00000000,?,?,?,?,?,0043F894), ref: 00443149
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: MessageSend$InvalidateRect
                                                                                                                                                                                      • String ID: cpu registers$cpu regs$disasm$disassembling$general|call stack
                                                                                                                                                                                      • API String ID: 2778011698-2178787781
                                                                                                                                                                                      • Opcode ID: 24fe02df3d9b16887f68652ae04fb7878e924bbb00105965c31571ea4f71ef52
                                                                                                                                                                                      • Instruction ID: 0e7b8a44243642da80558d0f20f84496f86fa15d692546af1af5dafdfc279547
                                                                                                                                                                                      • Opcode Fuzzy Hash: 24fe02df3d9b16887f68652ae04fb7878e924bbb00105965c31571ea4f71ef52
                                                                                                                                                                                      • Instruction Fuzzy Hash: BFA16834A001189FEB10EF95C985BDEB3B9FF48305F5081AAE904AB3A1D778AE45CB55
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004392E0, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190registryprocessCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000000,mailto\shell\open\command,00000000,00020019,B70F0B92,00000000,00439594,B70F0BAA,00000000,D2E4FD19,0043DBBD), ref: 0043934B
                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,004395C0,00000000,00000000,B70F0A89,B70F0B8E,80000000,mailto\shell\open\command,00000000,00020019,B70F0B92,00000000,00439594,B70F0BAA,00000000,D2E4FD19), ref: 00439370
                                                                                                                                                                                      • ExpandEnvironmentStringsA.KERNEL32(00000000,B70F0A89,00000104), ref: 004393B0
                                                                                                                                                                                      • GetVersion.KERNEL32(00000000,?,&body=,?,?subject=,?,mailto:,B70F0A2A,B70F0A2E,00000000,B70F0A89,00000104), ref: 00439494
                                                                                                                                                                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,B70F0A42,B70F0A32), ref: 00439531
                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,004395C0,00000000,00000000,B70F0A89,B70F0B8E,80000000,mailto\shell\open\command,00000000,00020019,B70F0B92,00000000,00439594,B70F0BAA,00000000), ref: 00439564
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CloseCreateEnvironmentExpandOpenProcessQueryStringsValueVersion
                                                                                                                                                                                      • String ID: &body=$?subject=$mailto:$mailto\shell\open\command
                                                                                                                                                                                      • API String ID: 4127044786-1872207929
                                                                                                                                                                                      • Opcode ID: 48ca5c69302cf1639d33744998944aa7bb0d4ec2de54112ad93b7a06fc660ace
                                                                                                                                                                                      • Instruction ID: 27ceea5edf645f902347def6fa979c21ef682324d3c053d622c0fe7978af8f29
                                                                                                                                                                                      • Opcode Fuzzy Hash: 48ca5c69302cf1639d33744998944aa7bb0d4ec2de54112ad93b7a06fc660ace
                                                                                                                                                                                      • Instruction Fuzzy Hash: DD715171A0411AABDB10EBA5CC81BEEB7B8AF48304F50547AE514B32C1D77CAE45CB69
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00426360, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 184windowCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 004263AA
                                                                                                                                                                                        • Part of subcall function 00424A08: InflateRect.USER32(?), ref: 00424A26
                                                                                                                                                                                        • Part of subcall function 00424A08: CreateSolidBrush.GDI32(?), ref: 00424A2F
                                                                                                                                                                                        • Part of subcall function 00424A08: FillRect.USER32(?,?,00000000), ref: 00424A3C
                                                                                                                                                                                        • Part of subcall function 00424A08: DeleteObject.GDI32(00000000), ref: 00424A42
                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 004263DA
                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 00426414
                                                                                                                                                                                      • GetSysColor.USER32(00000005), ref: 0042641F
                                                                                                                                                                                      • GetSysColor.USER32(00000010), ref: 00426441
                                                                                                                                                                                      • GetSysColor.USER32(00000008), ref: 0042644C
                                                                                                                                                                                      • GetSysColor.USER32(00000005), ref: 004264CF
                                                                                                                                                                                      • DrawFocusRect.USER32(?,?), ref: 0042652E
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Color$Rect$BrushCreateDeleteDrawFillFocusInflateObjectSolid
                                                                                                                                                                                      • String ID: Marlett$Tahoma
                                                                                                                                                                                      • API String ID: 2656558131-2348366563
                                                                                                                                                                                      • Opcode ID: f7203285d071fdff8021d85fcbdbd50c8b9f75f6b8f44a7c475a93b57f401f04
                                                                                                                                                                                      • Instruction ID: 52c62cdd3bd4c5e694be8fb631e2ae7449bce98f3f57c8fc9fff8b1421403275
                                                                                                                                                                                      • Opcode Fuzzy Hash: f7203285d071fdff8021d85fcbdbd50c8b9f75f6b8f44a7c475a93b57f401f04
                                                                                                                                                                                      • Instruction Fuzzy Hash: DE519271F002186BDB10EFA9DC82B9EB7B5EF84714F91413AF904BB2C5D678AD408B58
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0043E1AC, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 100processthreadCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetCommandLineA.KERNEL32(00000000,00000000,00000000,00000004,00000000,00000000,00000044,004458CE,00000000,0043E2CC,?,?,00000000), ref: 0043E1F2
                                                                                                                                                                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,004458CE,00000000,0043E2CC,?,?,00000000), ref: 0043E1FA
                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(00000000,000F001F,00000000,00000000,00000000,000000FF,?,00000004,00000000,00000058,00000000,?,00000000,00000000,00000000,00000000), ref: 0043E268
                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000000,004458CE,00000004,00000000,00000000,00000002,00000000,000F001F,00000000,00000000,00000000,000000FF,?,00000004,00000000,00000058), ref: 0043E27E
                                                                                                                                                                                      • DuplicateHandle.KERNEL32(00000000,00000000,004458CE,00000004,00000000,00000000,00000002,00000000,000F001F,00000000,00000000,00000000,000000FF,?,00000004,00000000), ref: 0043E284
                                                                                                                                                                                      • ResumeThread.KERNEL32(00000000,00000000,000F001F,00000000,00000000,00000000,000000FF,?,00000004,00000000,00000058,00000000,?,00000000,00000000,00000000), ref: 0043E29F
                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000002,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,004458CE,00000000,0043E2CC,?,?,00000000), ref: 0043E2A6
                                                                                                                                                                                      • TerminateProcess.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,004458CE,00000000,0043E2CC,?,?), ref: 0043E2AC
                                                                                                                                                                                        • Part of subcall function 0042B7EC: InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,0042E75C,00000000,0042E7BA,?,00000000), ref: 0042B800
                                                                                                                                                                                        • Part of subcall function 0042B7EC: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000,?,00000001,00000000,0042E75C,00000000,0042E7BA,?,00000000), ref: 0042B80C
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Process$Current$DescriptorSecurity$CommandCreateDaclDuplicateHandleInitializeLineResumeTerminateThread
                                                                                                                                                                                      • String ID: D$madExceptRestart
                                                                                                                                                                                      • API String ID: 4250391635-3299302940
                                                                                                                                                                                      • Opcode ID: dd2b9a343317c6ce5515a51d7ee2ab50e744acea1cdfa454eb45eb13253a9e6c
                                                                                                                                                                                      • Instruction ID: d1f4441e05331e2b886ad13d0a2464ba3adc02247fd1f95a981ff333373a3de7
                                                                                                                                                                                      • Opcode Fuzzy Hash: dd2b9a343317c6ce5515a51d7ee2ab50e744acea1cdfa454eb45eb13253a9e6c
                                                                                                                                                                                      • Instruction Fuzzy Hash: A7311471A447086AE720EBA1CC42F9E77ACDB49714F60417ABB14FB1C2D678B9048B6D
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00402A58, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • CharNextA.USER32(00000000,?,?,00000000,?,00402B68,00000000,00402B95,?,?,?,00000000), ref: 00402A8F
                                                                                                                                                                                      • CharNextA.USER32(00000000,00000000,?,?,00000000,?,00402B68,00000000,00402B95,?,?,?,00000000), ref: 00402A99
                                                                                                                                                                                      • CharNextA.USER32(00000000,00000000,?,?,00000000,?,00402B68,00000000,00402B95,?,?,?,00000000), ref: 00402AB6
                                                                                                                                                                                      • CharNextA.USER32(00000000,?,?,00000000,?,00402B68,00000000,00402B95,?,?,?,00000000), ref: 00402AC0
                                                                                                                                                                                      • CharNextA.USER32(00000000,00000000,?,?,00000000,?,00402B68,00000000,00402B95,?,?,?,00000000), ref: 00402AE9
                                                                                                                                                                                      • CharNextA.USER32(00000000,00000000,00000000,?,?,00000000,?,00402B68,00000000,00402B95,?,?,?,00000000), ref: 00402AF3
                                                                                                                                                                                      • CharNextA.USER32(00000000,00000000,00000000,?,?,00000000,?,00402B68,00000000,00402B95,?,?,?,00000000), ref: 00402B17
                                                                                                                                                                                      • CharNextA.USER32(00000000,00000000,?,?,00000000,?,00402B68,00000000,00402B95,?,?,?,00000000), ref: 00402B21
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CharNext
                                                                                                                                                                                      • String ID: "$"
                                                                                                                                                                                      • API String ID: 3213498283-3758156766
                                                                                                                                                                                      • Opcode ID: d53e473390e2c70fab2889ee1aed9f49b0a321bc2d396b3fab64bcc96d64de4e
                                                                                                                                                                                      • Instruction ID: 44d4dddac633dac86f44d1ef3526d0309bc9755cca435ad3cf7304e3d50030c3
                                                                                                                                                                                      • Opcode Fuzzy Hash: d53e473390e2c70fab2889ee1aed9f49b0a321bc2d396b3fab64bcc96d64de4e
                                                                                                                                                                                      • Instruction Fuzzy Hash: 7E21E2007043C119EF326D790AC8BAB6B854B5F34472801BB9981BA3DBD8FC6847D72E
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042CEF0, Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 404COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(cc3260mt.dll,00000000,0042D48A,?,?,?,?,00000022,00000000,00000000), ref: 0042CF44
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(cc3260.dll,cc3260mt.dll,00000000,0042D48A,?,?,?,?,00000022,00000000,00000000), ref: 0042CF54
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                                      • String ID: @_ThrowExceptionLDTC$qpvt1t1t1uiuiuipuct1$____ExceptionHandler$___terminatePTR$_malloc$_memcpy$cc3260.dll$cc3260mt.dll
                                                                                                                                                                                      • API String ID: 4139908857-2750139601
                                                                                                                                                                                      • Opcode ID: 841025939fae66e0b0d48fde87c2e11010368cb51b733c5eadeced756a3c1075
                                                                                                                                                                                      • Instruction ID: 26d451a7bb7af4f2933683db3434a42c18bccfe7b1bfb051cbd287cccf829027
                                                                                                                                                                                      • Opcode Fuzzy Hash: 841025939fae66e0b0d48fde87c2e11010368cb51b733c5eadeced756a3c1075
                                                                                                                                                                                      • Instruction Fuzzy Hash: 70F1C130B002248FDB20EF68E8807AAB7B1EF54314F50826BD855977A5D778AD89CB59
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00442408, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 278windowCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 004423BC: GetClientRect.USER32(?,?), ref: 004423CD
                                                                                                                                                                                        • Part of subcall function 004423BC: SendMessageA.USER32(?,00001328,00000000,?), ref: 004423E4
                                                                                                                                                                                        • Part of subcall function 004423BC: InflateRect.USER32(?,000000FD,000000FD), ref: 004423F4
                                                                                                                                                                                      • SendMessageA.USER32(?,00000030,?,00000000), ref: 004424D6
                                                                                                                                                                                      • SendMessageA.USER32(?,00001003,00000001,?), ref: 004424F3
                                                                                                                                                                                      • SendMessageA.USER32(?,0000101B,00000000,?), ref: 0044256F
                                                                                                                                                                                      • SendMessageA.USER32(00000000,00001007,00000000,00000001), ref: 004426E9
                                                                                                                                                                                      • SendMessageA.USER32(00000000,00001006,00000000,00000001), ref: 004426FF
                                                                                                                                                                                      • SendMessageA.USER32(?,0000101E,00000000,000000FF), ref: 00442749
                                                                                                                                                                                      • ShowWindow.USER32(?,00000005,?,00001003,00000001,?,?,00000030,?,00000000,00000000,00442784,?,?,?), ref: 0044275C
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: MessageSend$Rect$ClientInflateShowWindow
                                                                                                                                                                                      • String ID: MZP$SysListView32
                                                                                                                                                                                      • API String ID: 2077553228-3950937042
                                                                                                                                                                                      • Opcode ID: fcc25b95a70597c7fb29d39daf28c5664fbd121204b8a1aef6a2ca0ddf80cbfd
                                                                                                                                                                                      • Instruction ID: 28f00b9ae2aedda39305265f137e3abf13dec9f85fe492d1969b80c28badf233
                                                                                                                                                                                      • Opcode Fuzzy Hash: fcc25b95a70597c7fb29d39daf28c5664fbd121204b8a1aef6a2ca0ddf80cbfd
                                                                                                                                                                                      • Instruction Fuzzy Hash: EFB15074A002099FDB10DF99C985BAEB7F4FF48304F50816AF954AB392D778AE41CB94
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042E308, Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 269memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0042E204: FindResourceA.KERNEL32(00400000,TMADEXCEPT,0000000A), ref: 0042E20C
                                                                                                                                                                                      • LoadResource.KERNEL32(00000000,00000000,00000000,0042E627,?,00000000,00000000,00730020), ref: 0042E360
                                                                                                                                                                                      • LockResource.KERNEL32(00000000,00000000,00000000,00000000,0042E627,?,00000000,00000000,00730020), ref: 0042E370
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000000,7FFFFFFF,00000000,00000000,00000019,00000000,00000000,00000000,00000000,0042E627,?,00000000,00000000,00730020), ref: 0042E3AA
                                                                                                                                                                                      • FreeResource.KERNEL32(00000000,7FFFFFFF,00000000,00000000,00000019,00000000,00000000,00000000,00000000,0042E627,?,00000000,00000000,00730020), ref: 0042E5FF
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Resource$AllocFindFreeLoadLocalLock
                                                                                                                                                                                      • String ID: Internal error: Invalid settings resource ($TPF0TMadExceptmadExcept$madExcept$|pC
                                                                                                                                                                                      • API String ID: 2848537939-1491361403
                                                                                                                                                                                      • Opcode ID: aa1c3a75421822748f73ce3bfc93c2705fc3e4b009d258c3fe3bbd384f2df8a6
                                                                                                                                                                                      • Instruction ID: 77f4b769f67da45874b03e08e449cb3e726fbed95d2845e422f13c3fbf46f533
                                                                                                                                                                                      • Opcode Fuzzy Hash: aa1c3a75421822748f73ce3bfc93c2705fc3e4b009d258c3fe3bbd384f2df8a6
                                                                                                                                                                                      • Instruction Fuzzy Hash: 76918271B50215AFEB10DBA6DC82FBE77B8AF49304F544066B501FB2C1D678AD01CB69
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00432CC0, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 263fileCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 00432F91
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: DeleteFile
                                                                                                                                                                                      • String ID: <$@$AttachCheck$ScrShotImg$edit
                                                                                                                                                                                      • API String ID: 4033686569-1111002740
                                                                                                                                                                                      • Opcode ID: b0476906d1ee77da421ce0822d0c50d8218d05a1ec8e5cc95e8213ad71bec2be
                                                                                                                                                                                      • Instruction ID: 3d31f579249b1d3e708bbb104ee6197774963e0646ac57b6629214dae2919fde
                                                                                                                                                                                      • Opcode Fuzzy Hash: b0476906d1ee77da421ce0822d0c50d8218d05a1ec8e5cc95e8213ad71bec2be
                                                                                                                                                                                      • Instruction Fuzzy Hash: A0B15E30A00208DFDB04EFA5C585A9EB7F5FF08305F6490BAE805AB395CB79AE45CB55
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00425644, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 240COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetSysColor.USER32(00000008), ref: 004256FB
                                                                                                                                                                                      • GetSysColor.USER32(00000005), ref: 0042578A
                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 004257C0
                                                                                                                                                                                      • GetSysColor.USER32(00000008), ref: 00425836
                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 00425855
                                                                                                                                                                                      • GetSysColor.USER32(00000010), ref: 004257AC
                                                                                                                                                                                        • Part of subcall function 00424A08: InflateRect.USER32(?), ref: 00424A26
                                                                                                                                                                                        • Part of subcall function 00424A08: CreateSolidBrush.GDI32(?), ref: 00424A2F
                                                                                                                                                                                        • Part of subcall function 00424A08: FillRect.USER32(?,?,00000000), ref: 00424A3C
                                                                                                                                                                                        • Part of subcall function 00424A08: DeleteObject.GDI32(00000000), ref: 00424A42
                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 00425869
                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 004258A6
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Color$Rect$BrushCreateDeleteFillInflateObjectSolid
                                                                                                                                                                                      • String ID: Arial
                                                                                                                                                                                      • API String ID: 9615130-493054409
                                                                                                                                                                                      • Opcode ID: 39ea4490c628a0207420be9da0a06f70ad5efa59e71fe529c2c49424d413ddd2
                                                                                                                                                                                      • Instruction ID: 78f968c5ff6983dcee90eac364f8b16ec2e9891ee176f877b1a0e0d936aaa9c4
                                                                                                                                                                                      • Opcode Fuzzy Hash: 39ea4490c628a0207420be9da0a06f70ad5efa59e71fe529c2c49424d413ddd2
                                                                                                                                                                                      • Instruction Fuzzy Hash: BD914071B406199FCB00EF99D882BEEB7B5FF88314F50811AF514F7281C778A9458B69
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00439610, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 202COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetVersion.KERNEL32(00000000,004398AA,B70F0B3E,B70F0B7E,00000000,00000000,00000006,00000000,00000000,B70F0B6A,0043A073,00000101,B70F09C2,7FFFFFFF,00000000,0043A285), ref: 0043965A
                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,00000000,GetNetworkParams,IpHlpApi.dll,00000000,004398AA,B70F0B3E,B70F0B7E,00000000,00000000,00000006,00000000,00000000,B70F0B6A,0043A073,00000101), ref: 00439874
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FreeLibraryVersion
                                                                                                                                                                                      • String ID: DhcpNameServer$GetNetworkParams$IpHlpApi.dll$NameServer$System\CurrentControlSet\Services\$Tcpip\Parameters$VxD\MSTCP
                                                                                                                                                                                      • API String ID: 1869374125-2864456209
                                                                                                                                                                                      • Opcode ID: be9257167b66c50308e601114d25e930711af48e5457a80d3709c381b832ba0d
                                                                                                                                                                                      • Instruction ID: 5eb0eefde4f4232f44c4392ec1ac82873e2befdb72dca7ed4e43aaeb6d98849d
                                                                                                                                                                                      • Opcode Fuzzy Hash: be9257167b66c50308e601114d25e930711af48e5457a80d3709c381b832ba0d
                                                                                                                                                                                      • Instruction Fuzzy Hash: 1371D830A10108ABDB04FB95D481B9EB3B9EF89304F1091BBE511B7391D7B8AE45CB59
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068EDF2, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 125COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 43%
                                                                                                                                                                                      			E0068EDF2(void* __ecx, intOrPtr _a4, signed char _a8, intOrPtr _a12) {
				signed int _v8;
				char _v20;
				intOrPtr _v32;
				CHAR* _v36;
				CHAR* _v40;
				intOrPtr _v44;
				CHAR* _v48;
				CHAR* _t54;
				intOrPtr _t65;
				signed int _t73;
				signed int _t77;
				intOrPtr _t98;

				_t71 = __ecx;
				_push(0xffffffff);
				_push(0x693568);
				_push(0x69052c);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t98;
				_push(__ecx);
				_push(__ecx);
				if(( *0x695b04 & 1) == 0) {
					 *0x695b04 =  *0x695b04 & 0x000000ff | 0x00000001;
					 *0x695b00 = GetCurrentProcessId();
				}
				if(_a12 != 0) {
					_v44 = _a12;
				} else {
					_t65 =  *0x695b00; // 0x0
					_v44 = _t65;
				}
				_v32 = _v44;
				_v8 = _v8 & 0x00000000;
				_v40 = E0068E6F9(_t71, 0x124);
				_v36 = _v40;
				_t73 = 0x49;
				memset(_v36, 0, _t73 << 2);
				GetTempPathA(0x104, _v36);
				if((_a8 & 0x000000ff) == 0) {
					if(_a4 == 0xffffffff) {
						_push(_v32);
						asm("repne scasb");
						_t77 = 0xbadbac;
						wsprintfA( &(_v36[0xbadbac]), "MBX@%X@*.###");
					} else {
						_push(_a4);
						_push(_v32);
						asm("repne scasb");
						_t77 = 0xbadbac;
						wsprintfA( &(_v36[0xbadbac]), "MBX@%X@%X.###");
					}
				} else {
					 *0x699b10 =  *0x699b10 + 1;
					_push( *0x699b10);
					_push(_a4);
					_push(_v32);
					asm("repne scasb");
					_t77 = 0xbadbac;
					wsprintfA( &(_v36[0xbadbac]), "MBX@%X@%X@%X.###");
				}
				asm("repne scasb");
				CharUpperBuffA(_v36,  !(_t77 | 0xffffffff) - 1);
				_v48 = _v36;
				0x690476( &_v20, 0xffffffff);
				_t54 = _v48;
				 *[fs:0x0] = _v20;
				return _t54;
			}















                                                                                                                                                                                      0x0068edf2
                                                                                                                                                                                      0x0068edf5
                                                                                                                                                                                      0x0068edf7
                                                                                                                                                                                      0x0068edfc
                                                                                                                                                                                      0x0068ee07
                                                                                                                                                                                      0x0068ee08
                                                                                                                                                                                      0x0068ee0f
                                                                                                                                                                                      0x0068ee10
                                                                                                                                                                                      0x0068ee23
                                                                                                                                                                                      0x0068ee2e
                                                                                                                                                                                      0x0068ee39
                                                                                                                                                                                      0x0068ee39
                                                                                                                                                                                      0x0068ee42
                                                                                                                                                                                      0x0068ee51
                                                                                                                                                                                      0x0068ee44
                                                                                                                                                                                      0x0068ee44
                                                                                                                                                                                      0x0068ee49
                                                                                                                                                                                      0x0068ee49
                                                                                                                                                                                      0x0068ee57
                                                                                                                                                                                      0x0068ee5a
                                                                                                                                                                                      0x0068ee69
                                                                                                                                                                                      0x0068ee6f
                                                                                                                                                                                      0x0068ee74
                                                                                                                                                                                      0x0068ee7a
                                                                                                                                                                                      0x0068ee84
                                                                                                                                                                                      0x0068ee90
                                                                                                                                                                                      0x0068eed0
                                                                                                                                                                                      0x0068eefb
                                                                                                                                                                                      0x0068ef0b
                                                                                                                                                                                      0x0068ef0f
                                                                                                                                                                                      0x0068ef16
                                                                                                                                                                                      0x0068eed2
                                                                                                                                                                                      0x0068eed2
                                                                                                                                                                                      0x0068eed5
                                                                                                                                                                                      0x0068eee5
                                                                                                                                                                                      0x0068eee9
                                                                                                                                                                                      0x0068eef0
                                                                                                                                                                                      0x0068eef6
                                                                                                                                                                                      0x0068ee92
                                                                                                                                                                                      0x0068ee98
                                                                                                                                                                                      0x0068ee9d
                                                                                                                                                                                      0x0068eea3
                                                                                                                                                                                      0x0068eea6
                                                                                                                                                                                      0x0068eeb6
                                                                                                                                                                                      0x0068eeba
                                                                                                                                                                                      0x0068eec1
                                                                                                                                                                                      0x0068eec7
                                                                                                                                                                                      0x0068ef27
                                                                                                                                                                                      0x0068ef30
                                                                                                                                                                                      0x0068ef3b
                                                                                                                                                                                      0x0068ef42
                                                                                                                                                                                      0x0068ef49
                                                                                                                                                                                      0x0068ef52
                                                                                                                                                                                      0x0068ef5d

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,?,00000084,00000000,?,?,?,00000084), ref: 0068EE33
                                                                                                                                                                                      • GetTempPathA.KERNEL32(00000104,?,?,?,00000084,00000000), ref: 0068EE84
                                                                                                                                                                                      • wsprintfA.USER32 ref: 0068EEC1
                                                                                                                                                                                      • wsprintfA.USER32 ref: 0068EEF0
                                                                                                                                                                                      • wsprintfA.USER32 ref: 0068EF16
                                                                                                                                                                                      • CharUpperBuffA.USER32(?,?,?,?,?,00000000), ref: 0068EF30
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: wsprintf$BuffCharCurrentPathProcessTempUpper
                                                                                                                                                                                      • String ID: MBX@%X@%X.###$MBX@%X@%X@%X.###$MBX@%X@*.###
                                                                                                                                                                                      • API String ID: 700814352-833101087
                                                                                                                                                                                      • Opcode ID: a302ad6aa9d92adba021db1af3edb04f0bf8643353551456749732299eda20a2
                                                                                                                                                                                      • Instruction ID: 2a7af3097a4a5dc357acd0152c9f9cfc22730a3d1460ae7ba7de54ac6b318ce7
                                                                                                                                                                                      • Opcode Fuzzy Hash: a302ad6aa9d92adba021db1af3edb04f0bf8643353551456749732299eda20a2
                                                                                                                                                                                      • Instruction Fuzzy Hash: 9241A2719042189FDF15DFA8DC0AAED7BFAFB08320F14561AF522E66E1D7799900CB24
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068D99E, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 113processthreadinjectionCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 74%
                                                                                                                                                                                      			E0068D99E(void* __ecx) {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				long _v32;
				struct _STARTUPINFOA _v108;
				void* _v112;
				void* _v116;
				long _v120;
				void _v124;
				signed int _v128;
				struct _PROCESS_INFORMATION _v144;
				signed int _v148;
				long _t60;
				signed int _t68;
				signed int _t71;
				intOrPtr _t88;

				_push(0xffffffff);
				_push(0x6934f0);
				_push(0x69052c);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t88;
				_push(__ecx);
				_push(__ecx);
				_v28 = _t88 - 0x7c;
				_v128 = _v128 & 0x00000000;
				_v124 = _v124 & 0x00000000;
				asm("stosd");
				_v108.cb = _v108.cb & 0x00000000;
				_t68 = 0x10;
				memset( &(_v108.lpReserved), 0, _t68 << 2);
				_v116 = GetCurrentProcess();
				_v112 = 0x6885e0;
				_v32 = _v32 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v148 = E0068E6F9(0, 0x105);
				_v128 = _v148;
				_t71 = 0x41;
				memset(_v128, 0, _t71 << 2);
				asm("stosb");
				if(GetModuleFileNameA(GetModuleHandleA(0), _v128, 0x104) == 0) {
					E0068E6E1(_t50, 0xef000015);
				}
				_v108.cb = 0x44;
				if(CreateProcessA(_v128, 0, 0, 0, 1, 0xc, 0, 0,  &_v108,  &_v144) == 0) {
					E0068E6E1(_t53, 0xef000015);
				}
				if(DuplicateHandle(_v116, _v116, _v144.hProcess,  &_v124, 0, 1, 2) == 0) {
					E0068E6E1(_t55, 0xef000015);
				}
				_v120 = GetCurrentProcessId();
				if(WriteProcessMemory(_v144, _v112,  &_v124, 8,  &_v32) == 0) {
					E0068E6E1(_t59, 0xef000015);
				}
				_t60 = ResumeThread(_v144.hThread);
				if(_t60 == 0) {
					_t60 = E0068E6E1(_t60, 0xef000015);
				}
				_v8 = _v8 | 0xffffffff;
				 *[fs:0x0] = _v20;
				return _t60;
			}



















                                                                                                                                                                                      0x0068d9a1
                                                                                                                                                                                      0x0068d9a3
                                                                                                                                                                                      0x0068d9a8
                                                                                                                                                                                      0x0068d9b3
                                                                                                                                                                                      0x0068d9b4
                                                                                                                                                                                      0x0068d9bb
                                                                                                                                                                                      0x0068d9bc
                                                                                                                                                                                      0x0068d9c3
                                                                                                                                                                                      0x0068d9c6
                                                                                                                                                                                      0x0068d9ca
                                                                                                                                                                                      0x0068d9d3
                                                                                                                                                                                      0x0068d9d4
                                                                                                                                                                                      0x0068d9da
                                                                                                                                                                                      0x0068d9e0
                                                                                                                                                                                      0x0068d9e8
                                                                                                                                                                                      0x0068d9eb
                                                                                                                                                                                      0x0068d9f2
                                                                                                                                                                                      0x0068d9f6
                                                                                                                                                                                      0x0068da05
                                                                                                                                                                                      0x0068da11
                                                                                                                                                                                      0x0068da16
                                                                                                                                                                                      0x0068da1c
                                                                                                                                                                                      0x0068da1e
                                                                                                                                                                                      0x0068da38
                                                                                                                                                                                      0x0068da3f
                                                                                                                                                                                      0x0068da3f
                                                                                                                                                                                      0x0068da44
                                                                                                                                                                                      0x0068da6f
                                                                                                                                                                                      0x0068da76
                                                                                                                                                                                      0x0068da76
                                                                                                                                                                                      0x0068da99
                                                                                                                                                                                      0x0068daa0
                                                                                                                                                                                      0x0068daa0
                                                                                                                                                                                      0x0068daab
                                                                                                                                                                                      0x0068dac9
                                                                                                                                                                                      0x0068dad0
                                                                                                                                                                                      0x0068dad0
                                                                                                                                                                                      0x0068dadb
                                                                                                                                                                                      0x0068dae3
                                                                                                                                                                                      0x0068daea
                                                                                                                                                                                      0x0068daea
                                                                                                                                                                                      0x0068daef
                                                                                                                                                                                      0x0068db2e
                                                                                                                                                                                      0x0068db39

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0068D9E2
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000104), ref: 0068DA29
                                                                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0068DA30
                                                                                                                                                                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,0000000C,00000000,00000000,00000044,?), ref: 0068DA67
                                                                                                                                                                                      • DuplicateHandle.KERNEL32(?,?,00000002,00000000,00000000,00000001,00000002), ref: 0068DA91
                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 0068DAA5
                                                                                                                                                                                      • WriteProcessMemory.KERNEL32(00000000,006885E0,00000000,00000008,00000000), ref: 0068DAC1
                                                                                                                                                                                      • ResumeThread.KERNEL32(?), ref: 0068DADB
                                                                                                                                                                                        • Part of subcall function 0068E6E1: RaiseException.KERNEL32(00000000,00000000,00000000,00000000,EF00000D,?,0068E777,024B0488,?,0068E703,024B0488,024B0488,?,00688580,00000068), ref: 0068E6F1
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Process$CurrentHandleModule$CreateDuplicateExceptionFileMemoryNameRaiseResumeThreadWrite
                                                                                                                                                                                      • String ID: D
                                                                                                                                                                                      • API String ID: 2444673992-2746444292
                                                                                                                                                                                      • Opcode ID: 959dc8205ff685fc78e8c4f0734e4ee4b3a6ca833d5bf2607011e12d488419f1
                                                                                                                                                                                      • Instruction ID: fce482092044319b73853983528837d6d512a950bf062064687eaf36d9891de8
                                                                                                                                                                                      • Opcode Fuzzy Hash: 959dc8205ff685fc78e8c4f0734e4ee4b3a6ca833d5bf2607011e12d488419f1
                                                                                                                                                                                      • Instruction Fuzzy Hash: AC415E71A50608AFEF20AFA0DC46BDEBBBABB44711F20412DF215EB2D1DBB159509F14
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068F242, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 79COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualQuery.KERNEL32(?,0000001C,0000001C,?,?,?,-- backtrace --,-- backtrace --,?,Function_0029052C,00693578,000000FF,?,0068F522,?), ref: 0068F298
                                                                                                                                                                                      • wsprintfA.USER32 ref: 0068F2AC
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: QueryVirtualwsprintf
                                                                                                                                                                                      • String ID: !broken!$-- backtrace --$0x%08x:[%s]:(%03x:%08x)$0x%08x:[unknown]:unknown$hXi$unknown
                                                                                                                                                                                      • API String ID: 682088319-309125684
                                                                                                                                                                                      • Opcode ID: 13e760fe95d4e5862061edabd6aafcfe3ee068ff5e3b1ad9e479041794b6a54a
                                                                                                                                                                                      • Instruction ID: 8ee4da66bfad700030b3499b86ceb51b0415ea56e2f146178e3891a17ec61271
                                                                                                                                                                                      • Opcode Fuzzy Hash: 13e760fe95d4e5862061edabd6aafcfe3ee068ff5e3b1ad9e479041794b6a54a
                                                                                                                                                                                      • Instruction Fuzzy Hash: DA215171A00618EBDF11DFD8DD05BEEBBBEFB08724F100229F511A2690D7799A018BA4
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068EAC6, Relevance: 15.1, APIs: 10, Instructions: 140filewindowCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 66%
                                                                                                                                                                                      			E0068EAC6(signed int __ecx, void* _a4) {
				signed int _v8;
				char _v20;
				signed int _v32;
				long _v36;
				void* _v40;
				char _v41;
				signed int _v48;
				char* _t52;
				struct HINSTANCE__* _t61;
				void* _t73;
				signed int _t80;
				long _t83;
				signed int _t92;
				intOrPtr _t106;

				_t80 = __ecx;
				_push(0xffffffff);
				_push(0x693538);
				_push(0x69052c);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t106;
				_push(__ecx);
				_push(__ecx);
				EnterCriticalSection( *0x006885E4 + 0x48);
				_v32 = _v32 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t7 =  *0x006885E4 + 0x60; // 0x0
				_v40 =  *_t7;
				if(_v40 != 0) {
					L8:
					asm("repne scasb");
					_t83 =  !(_t80 | 0xffffffff) - 1;
					WriteFile(_v40, _a4, _t83,  &_v36, 0);
					asm("repne scasb");
					if(_v36 !=  !(_t83 | 0xffffffff) - 1) {
						goto L11;
					}
				} else {
					_v48 = E0068E6F9(_t80, 0x400);
					_v32 = _v48;
					_t61 = GetModuleHandleA(0);
					_t92 =  *0x006885E4;
					 *(_t92 + 0x64) = _t61;
					if( *( *0x006885E4 + 0x64) != 0) {
						_t19 =  *0x006885E4 + 0x64; // 0x0
						if(GetModuleFileNameA( *_t19, _v32, 0x400) != 0) {
							asm("repne scasb");
							wsprintfA(_v32 +  !(_t92 | 0xffffffff) - 1, "-up.txt");
							_t73 = CreateFileA(_v32, 0x40000000, 1, 0, 2, 0x80, 0);
							_t80 =  *0x006885E4;
							 *(_t80 + 0x60) = _t73;
							_t26 =  *0x006885E4 + 0x60; // 0x0
							_v40 =  *_t26;
							if(_v40 != 0) {
								SetFilePointer(_v40, 0, 0, 2);
								goto L8;
							} else {
								goto L11;
							}
						} else {
							goto L11;
						}
					} else {
						L11:
						_v41 = _v41 & 0x00000000;
						MessageBoxA(0, "can\'t open logfile",  &_v41, 0);
						TerminateProcess(GetCurrentProcess(), 0);
					}
				}
				_t52 =  &_v20;
				0x690476(_t52, 0xffffffff);
				 *[fs:0x0] = _v20;
				return _t52;
			}

















                                                                                                                                                                                      0x0068eac6
                                                                                                                                                                                      0x0068eac9
                                                                                                                                                                                      0x0068eacb
                                                                                                                                                                                      0x0068ead0
                                                                                                                                                                                      0x0068eadb
                                                                                                                                                                                      0x0068eadc
                                                                                                                                                                                      0x0068eae3
                                                                                                                                                                                      0x0068eae4
                                                                                                                                                                                      0x0068eaf7
                                                                                                                                                                                      0x0068eafd
                                                                                                                                                                                      0x0068eb01
                                                                                                                                                                                      0x0068eb0d
                                                                                                                                                                                      0x0068eb10
                                                                                                                                                                                      0x0068eb17
                                                                                                                                                                                      0x0068ebe8
                                                                                                                                                                                      0x0068ebf6
                                                                                                                                                                                      0x0068ebfa
                                                                                                                                                                                      0x0068ec02
                                                                                                                                                                                      0x0068ec10
                                                                                                                                                                                      0x0068ec18
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068ec1a
                                                                                                                                                                                      0x0068eb1d
                                                                                                                                                                                      0x0068eb28
                                                                                                                                                                                      0x0068eb2e
                                                                                                                                                                                      0x0068eb33
                                                                                                                                                                                      0x0068eb3e
                                                                                                                                                                                      0x0068eb41
                                                                                                                                                                                      0x0068eb50
                                                                                                                                                                                      0x0068eb67
                                                                                                                                                                                      0x0068eb72
                                                                                                                                                                                      0x0068eb8a
                                                                                                                                                                                      0x0068eb95
                                                                                                                                                                                      0x0068ebb2
                                                                                                                                                                                      0x0068ebbd
                                                                                                                                                                                      0x0068ebc0
                                                                                                                                                                                      0x0068ebcb
                                                                                                                                                                                      0x0068ebce
                                                                                                                                                                                      0x0068ebd5
                                                                                                                                                                                      0x0068ebe2
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068ebd7
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068ebd7
                                                                                                                                                                                      0x0068eb74
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068eb74
                                                                                                                                                                                      0x0068eb52
                                                                                                                                                                                      0x0068ec2b
                                                                                                                                                                                      0x0068ec2b
                                                                                                                                                                                      0x0068ec40
                                                                                                                                                                                      0x0068ec4f
                                                                                                                                                                                      0x0068ec4f
                                                                                                                                                                                      0x0068eb50
                                                                                                                                                                                      0x0068ec1e
                                                                                                                                                                                      0x0068ec22
                                                                                                                                                                                      0x0068ec7c
                                                                                                                                                                                      0x0068ec87

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • EnterCriticalSection.KERNEL32(024B0440), ref: 0068EAF7
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 0068EB33
                                                                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000400), ref: 0068EB6A
                                                                                                                                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0068EC02
                                                                                                                                                                                      • MessageBoxA.USER32 ref: 0068EC40
                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000), ref: 0068EC48
                                                                                                                                                                                      • TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 0068EC4F
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FileModuleProcess$CriticalCurrentEnterHandleMessageNameSectionTerminateWrite
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3821509113-0
                                                                                                                                                                                      • Opcode ID: 35ab076a414b0ca8afa6e0b5ed15d616604f640d31d91608fb8d64fad9d8de03
                                                                                                                                                                                      • Instruction ID: 6e4e3910896c533ee7f5ae38fa5a186792d19cdb740b1f855b300dc151cf4926
                                                                                                                                                                                      • Opcode Fuzzy Hash: 35ab076a414b0ca8afa6e0b5ed15d616604f640d31d91608fb8d64fad9d8de03
                                                                                                                                                                                      • Instruction Fuzzy Hash: B0517E75A40204EFDB04AFA8DD0AFA97BBAFB08711F10421AF511EB6D1DB75DD018B54
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00424BEC, Relevance: 15.1, APIs: 10, Instructions: 125COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 004248D4: CreateFontA.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0042492D
                                                                                                                                                                                        • Part of subcall function 004248D4: CreateFontA.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,MS Sans Serif), ref: 00424957
                                                                                                                                                                                      • SelectObject.GDI32(?,?), ref: 00424C34
                                                                                                                                                                                      • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00424C57
                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 00424C80
                                                                                                                                                                                      • SetTextColor.GDI32(?,?), ref: 00424C8A
                                                                                                                                                                                      • SetTextColor.GDI32(?,00FFFFFF), ref: 00424C9B
                                                                                                                                                                                      • TextOutA.GDI32(?,?,?,00000000,00000000), ref: 00424CCD
                                                                                                                                                                                      • SetTextColor.GDI32(?,?), ref: 00424CE3
                                                                                                                                                                                      • TextOutA.GDI32(?,?,?,00000000,00000000), ref: 00424D03
                                                                                                                                                                                      • SelectObject.GDI32(?,?), ref: 00424D0D
                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 00424D16
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Text$ColorObject$CreateFontSelect$DeleteExtentModePoint32
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 4223740531-0
                                                                                                                                                                                      • Opcode ID: 57ea5cf95d56f421e59569050752a764180e8077e836aa25c085b4f3e7a5e12c
                                                                                                                                                                                      • Instruction ID: d62e06a2f62680bdbf551d72b5029f4fa8b3ef4ee66065205f2d96a2b1f22a59
                                                                                                                                                                                      • Opcode Fuzzy Hash: 57ea5cf95d56f421e59569050752a764180e8077e836aa25c085b4f3e7a5e12c
                                                                                                                                                                                      • Instruction Fuzzy Hash: C74133B1A04118AFDB41EF59CC81EAE77FCEB89718F51416AF914F3291C638AD018B69
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004321FC, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66threadsynchronizationCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00432204
                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00432219
                                                                                                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0043223D
                                                                                                                                                                                      • EnterCriticalSection.KERNEL32(00000000), ref: 0043225A
                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00432280
                                                                                                                                                                                      • LeaveCriticalSection.KERNEL32(00000000,004322BA,00000000), ref: 004322AD
                                                                                                                                                                                      • SetLastError.KERNEL32(?), ref: 004322D1
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CriticalCurrentErrorLastSectionThread$EnterLeaveObjectSingleWait
                                                                                                                                                                                      • String ID: 4``
                                                                                                                                                                                      • API String ID: 4100131725-4100759201
                                                                                                                                                                                      • Opcode ID: bbde8bfd91bc5b059367b225c8defa7ff93afc13703e35a69b96e90e7845ddb0
                                                                                                                                                                                      • Instruction ID: a80b1359d35d11d84351d2b69f0832197d536343e16bfc65eee9deaa76c0731e
                                                                                                                                                                                      • Opcode Fuzzy Hash: bbde8bfd91bc5b059367b225c8defa7ff93afc13703e35a69b96e90e7845ddb0
                                                                                                                                                                                      • Instruction Fuzzy Hash: 1C11263090C7009BDB12EBA8ED85B6F73A9E708314F2056B7E400936D0C7BDB845D7AA
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004235D4, Relevance: 13.7, APIs: 9, Instructions: 175COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • EnumWindows.USER32(Function_000234B8,?), ref: 00423635
                                                                                                                                                                                      • EnumWindows.USER32(Function_0002354C,?), ref: 00423693
                                                                                                                                                                                      • GetStockObject.GDI32(00000000), ref: 004236E2
                                                                                                                                                                                      • FillRect.USER32(?,?,00000000), ref: 004236F0
                                                                                                                                                                                      • SelectClipRgn.GDI32(?,00000000), ref: 004236FD
                                                                                                                                                                                      • SelectClipRgn.GDI32(?,00000000), ref: 00423734
                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 0042373D
                                                                                                                                                                                      • SelectClipRgn.GDI32(?,00000000), ref: 004237A4
                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 004237AD
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: ClipObjectSelect$DeleteEnumWindows$FillRectStock
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3926179444-0
                                                                                                                                                                                      • Opcode ID: bf4ce19466c1e88cc8d92898153075d3bc9b6e9a4853832a3de92d453d1d6f47
                                                                                                                                                                                      • Instruction ID: 346e78b6c383af875de1215c97b1d755aabddb0323853fd6255954ec7496e8e9
                                                                                                                                                                                      • Opcode Fuzzy Hash: bf4ce19466c1e88cc8d92898153075d3bc9b6e9a4853832a3de92d453d1d6f47
                                                                                                                                                                                      • Instruction Fuzzy Hash: 07610AB1E00219AFCF10DFE9D885BDEBBF8AF48314F50412AE514EB280D738AA45CB55
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0040ADE4, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 148librarywindowCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0040AFAA,?,00607910,?,00000057,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040AE39
                                                                                                                                                                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,0040AFAA,?,00607910,?,00000057,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040AE7C
                                                                                                                                                                                      • FormatMessageA.KERNEL32(00001300,?,00000057,00000400,?,00000000,00000000,00000000,0040AF88,?,00000000,0040AFAA,?,00607910,?,00000057), ref: 0040AEB8
                                                                                                                                                                                      • LocalFree.KERNEL32(?,0040AF6B,00001300,?,00000057,00000400,?,00000000,00000000,00000000,0040AF88,?,00000000,0040AFAA,?,00607910), ref: 0040AF28
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FormatFreeHandleLibraryLoadLocalMessageModule
                                                                                                                                                                                      • String ID: ;!199{199$;0!8&2{199
                                                                                                                                                                                      • API String ID: 677395756-3712181515
                                                                                                                                                                                      • Opcode ID: 7b16afd55c94d974c0e72bd0b139121ed7236d6ac437d6010a78933e8daf9a03
                                                                                                                                                                                      • Instruction ID: c93002b9dd67e8ae5e96ea3b85a5e020cf9ed40f065f4085d2d636d5e72b00c6
                                                                                                                                                                                      • Opcode Fuzzy Hash: 7b16afd55c94d974c0e72bd0b139121ed7236d6ac437d6010a78933e8daf9a03
                                                                                                                                                                                      • Instruction Fuzzy Hash: B441A8B0A44305AFE711EBA5C841BAF77A9EB84704F50447BB500B32C1C67C9D55C6AE
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0045A180, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0045A219
                                                                                                                                                                                      • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0045A235
                                                                                                                                                                                      • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0045A26E
                                                                                                                                                                                      • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0045A2EB
                                                                                                                                                                                      • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0045A304
                                                                                                                                                                                      • VariantCopy.OLEAUT32(?), ref: 0045A339
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 351091851-3916222277
                                                                                                                                                                                      • Opcode ID: c06c10035eb90c48e9bd03bb3843b997470d1d8fb0e16bdaec6d26336b31533e
                                                                                                                                                                                      • Instruction ID: faecfb2c56e722671987fec7a475076183dd56244fbf1eb25ccc04ca58b14947
                                                                                                                                                                                      • Opcode Fuzzy Hash: c06c10035eb90c48e9bd03bb3843b997470d1d8fb0e16bdaec6d26336b31533e
                                                                                                                                                                                      • Instruction Fuzzy Hash: AA51FF7590061D9BCB21DB59CC81BDAB3BCAF48305F4042DAF949E7302D6389F898F65
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00432098, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97threadwindowCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 004320C5
                                                                                                                                                                                        • Part of subcall function 00431E8C: WaitForSingleObject.KERNEL32(?,00000032,00000000,00431F73), ref: 00431EC6
                                                                                                                                                                                        • Part of subcall function 00431E8C: LocalSize.KERNEL32(?), ref: 00431EF7
                                                                                                                                                                                        • Part of subcall function 00431E8C: ReleaseMutex.KERNEL32(?,00431F2A,?,00000032,00000000,00431F73), ref: 00431F1D
                                                                                                                                                                                      • EnterCriticalSection.KERNEL32(00000000), ref: 0043211A
                                                                                                                                                                                      • LeaveCriticalSection.KERNEL32(00000000,00432187), ref: 0043217A
                                                                                                                                                                                      • SetEvent.KERNEL32(00000000), ref: 004321A4
                                                                                                                                                                                      • SetEvent.KERNEL32(00000000), ref: 004321B8
                                                                                                                                                                                      • PostMessageA.USER32(000A007E,00000400,00000001,00000000), ref: 004321CD
                                                                                                                                                                                        • Part of subcall function 0042AC1C: GetModuleHandleA.KERNEL32(kernel32.dll,CreateToolhelp32Snapshot), ref: 0042AC68
                                                                                                                                                                                        • Part of subcall function 0042AC1C: GetModuleHandleA.KERNEL32(kernel32.dll,Thread32First,00000000,kernel32.dll,CreateToolhelp32Snapshot), ref: 0042AC7F
                                                                                                                                                                                        • Part of subcall function 0042AC1C: GetModuleHandleA.KERNEL32(kernel32.dll,Thread32Next,00000000,kernel32.dll,Thread32First,00000000,kernel32.dll,CreateToolhelp32Snapshot), ref: 0042AC97
                                                                                                                                                                                        • Part of subcall function 0042AC1C: GetCurrentProcessId.KERNEL32 ref: 0042ACDB
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: HandleModule$CriticalCurrentEventSection$EnterLeaveLocalMessageMutexObjectPostProcessReleaseSingleSizeThreadWait
                                                                                                                                                                                      • String ID: 4``
                                                                                                                                                                                      • API String ID: 1701043000-4100759201
                                                                                                                                                                                      • Opcode ID: 4ce6991005392160eb4812244dfe4dd5837dfdd47396716e7d116e1e183ab263
                                                                                                                                                                                      • Instruction ID: 40c84eb75ffa7047a11134776f12060c6f74a966e69caacf2c6a1f6bcc65f972
                                                                                                                                                                                      • Opcode Fuzzy Hash: 4ce6991005392160eb4812244dfe4dd5837dfdd47396716e7d116e1e183ab263
                                                                                                                                                                                      • Instruction Fuzzy Hash: 66315A75A04215AFDF10DF94DA85EAE73B6FB48304F24446AE900E7391C778B945CB68
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00401C20, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • EnterCriticalSection.KERNEL32(006065C8,00000000,#), ref: 00401C4D
                                                                                                                                                                                      • LocalFree.KERNEL32(00961AA8,00000000,#), ref: 00401C5F
                                                                                                                                                                                      • VirtualFree.KERNEL32(02AC0000,00000000,00008000,00961AA8,00000000,#), ref: 00401C7E
                                                                                                                                                                                      • LocalFree.KERNEL32(00962AA8,02AC0000,00000000,00008000,00961AA8,00000000,#), ref: 00401CBD
                                                                                                                                                                                      • LeaveCriticalSection.KERNEL32(006065C8,00401CFD,00961AA8,00000000,#), ref: 00401CE6
                                                                                                                                                                                      • RtlDeleteCriticalSection.NTDLL(006065C8), ref: 00401CF0
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                                                                                                      • String ID: #
                                                                                                                                                                                      • API String ID: 3782394904-3629985089
                                                                                                                                                                                      • Opcode ID: 123019b0fd89c8990a7f93f08345d88cce51a72815b9c0820118061b4a7a3c36
                                                                                                                                                                                      • Instruction ID: 2afbbf882d9a78507c9e684b6033ecaddad39da9d73355e8fc87c883b82c9fec
                                                                                                                                                                                      • Opcode Fuzzy Hash: 123019b0fd89c8990a7f93f08345d88cce51a72815b9c0820118061b4a7a3c36
                                                                                                                                                                                      • Instruction Fuzzy Hash: AF11C4706C86405EE71AAF69DC81B273BD6F786754F80543AF402A72F5E6BDCC208729
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0040B538, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 61COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetVersion.KERNEL32 ref: 0040B54D
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040B56B
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,QT_Thunk), ref: 0040B5DC
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: HandleModule$Version
                                                                                                                                                                                      • String ID: GetFreeSystemResources$QT_Thunk$kernel32.dll$user.exe
                                                                                                                                                                                      • API String ID: 1014407405-3315640428
                                                                                                                                                                                      • Opcode ID: b82bc198f79e1da13e2bbdadcf1860082333f4a32a785e8250ba499fa53de4e1
                                                                                                                                                                                      • Instruction ID: cd1849b891a71296cd782f789ce174efd7122e2881f6a40f829025b46f663ba2
                                                                                                                                                                                      • Opcode Fuzzy Hash: b82bc198f79e1da13e2bbdadcf1860082333f4a32a785e8250ba499fa53de4e1
                                                                                                                                                                                      • Instruction Fuzzy Hash: DF11E474A04305AAD710AFA59C893AE77B4DF14304F00447BA808F23E2DB7E9984CB9F
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004237BC, Relevance: 12.1, APIs: 8, Instructions: 90memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000018,00000000,00000000,00000000,00000000,00000000,00002010,00000000,004238A7), ref: 00423810
                                                                                                                                                                                      • GetObjectA.GDI32(00000000,00000018,00000000), ref: 0042381F
                                                                                                                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 0042383B
                                                                                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0042384E
                                                                                                                                                                                        • Part of subcall function 004235D4: EnumWindows.USER32(Function_000234B8,?), ref: 00423635
                                                                                                                                                                                        • Part of subcall function 004235D4: EnumWindows.USER32(Function_0002354C,?), ref: 00423693
                                                                                                                                                                                        • Part of subcall function 004235D4: GetStockObject.GDI32(00000000), ref: 004236E2
                                                                                                                                                                                        • Part of subcall function 004235D4: FillRect.USER32(?,?,00000000), ref: 004236F0
                                                                                                                                                                                      • SelectObject.GDI32(00000000,?), ref: 00423877
                                                                                                                                                                                      • DeleteDC.GDI32(00000000), ref: 00423880
                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,00000040,00000018,00000000,00000000,00000000,00000000,00000000,00002010,00000000,004238A7), ref: 00423886
                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 0042388C
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Object$DeleteEnumLocalSelectWindows$AllocCompatibleCreateFillFreeRectStock
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1630359847-0
                                                                                                                                                                                      • Opcode ID: 5eaf7bac55da678812bd4c97b7a6818ad8f8be7322eb349e37943c038778dd78
                                                                                                                                                                                      • Instruction ID: 26bad349f4b648af1bcd85d347c26dfbc116a5f53e974dd6276eb84962a87d72
                                                                                                                                                                                      • Opcode Fuzzy Hash: 5eaf7bac55da678812bd4c97b7a6818ad8f8be7322eb349e37943c038778dd78
                                                                                                                                                                                      • Instruction Fuzzy Hash: 6F217171B44618BBD710FBAA8C42F5EB6F89F48704F50447AB604F72D2DA78AA009769
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0043B758, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • select.WS2_32(00000000,B70EF65A,00000000,00000000,B70F0B62), ref: 0043B7C1
                                                                                                                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 0043B8BC
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: ExecuteShellselect
                                                                                                                                                                                      • String ID: 100$200$302$Location:
                                                                                                                                                                                      • API String ID: 186192706-2597041285
                                                                                                                                                                                      • Opcode ID: aec0b46c5e2a123ac075ff8d0cdc1ca7ad2718073454c1676293b490fd0a2677
                                                                                                                                                                                      • Instruction ID: ca23a4677f096ad1a3128accc48d80e08038cc190f585900452aaff1ee19fb01
                                                                                                                                                                                      • Opcode Fuzzy Hash: aec0b46c5e2a123ac075ff8d0cdc1ca7ad2718073454c1676293b490fd0a2677
                                                                                                                                                                                      • Instruction Fuzzy Hash: 18418171A00618ABEB10EA55CC42BDE73A8EF88304F1091B6F605EB2D1D7789F419B98
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0040C6E4, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • FindResourceA.KERNEL32(?,TMADEXCEPT,0000000A), ref: 0040C6FF
                                                                                                                                                                                      • LoadResource.KERNEL32(?,00000000,00607910,?,00000000,?,00419994,?,00000000,00419B7D,?,00000000,00000004,00000000,00000000), ref: 0040C70C
                                                                                                                                                                                      • SizeofResource.KERNEL32(?,00000000,?,00000000,00607910,?,00000000,?,00419994,?,00000000,00419B7D,?,00000000,00000004,00000000), ref: 0040C719
                                                                                                                                                                                      • LockResource.KERNEL32(00000000,00000000,?,00000000,?,00000000,00607910,?,00000000,?,00419994,?,00000000,00419B7D,?,00000000), ref: 0040C720
                                                                                                                                                                                      • FreeResource.KERNEL32(00000000,00000000,?,00000000,?,00000000,00607910,?,00000000,?,00419994,?,00000000,00419B7D,?,00000000), ref: 0040C738
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Resource$FindFreeLoadLockSizeof
                                                                                                                                                                                      • String ID: TMADEXCEPT
                                                                                                                                                                                      • API String ID: 4159136517-1465931417
                                                                                                                                                                                      • Opcode ID: 836bb639640dc5d5459f856adf0616523f1266062b224778328f575b62ae4d4c
                                                                                                                                                                                      • Instruction ID: 79fc9dbec54230cf29d6cfcc12004599d428d6a35832fe3730877f8d0e731325
                                                                                                                                                                                      • Opcode Fuzzy Hash: 836bb639640dc5d5459f856adf0616523f1266062b224778328f575b62ae4d4c
                                                                                                                                                                                      • Instruction Fuzzy Hash: A3F05462A095553ED322726A5CC1CBF5A9C8E966A8305417FF504F7282CB7C9D0152BA
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0040C6E8, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • FindResourceA.KERNEL32(?,TMADEXCEPT,0000000A), ref: 0040C6FF
                                                                                                                                                                                      • LoadResource.KERNEL32(?,00000000,00607910,?,00000000,?,00419994,?,00000000,00419B7D,?,00000000,00000004,00000000,00000000), ref: 0040C70C
                                                                                                                                                                                      • SizeofResource.KERNEL32(?,00000000,?,00000000,00607910,?,00000000,?,00419994,?,00000000,00419B7D,?,00000000,00000004,00000000), ref: 0040C719
                                                                                                                                                                                      • LockResource.KERNEL32(00000000,00000000,?,00000000,?,00000000,00607910,?,00000000,?,00419994,?,00000000,00419B7D,?,00000000), ref: 0040C720
                                                                                                                                                                                      • FreeResource.KERNEL32(00000000,00000000,?,00000000,?,00000000,00607910,?,00000000,?,00419994,?,00000000,00419B7D,?,00000000), ref: 0040C738
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Resource$FindFreeLoadLockSizeof
                                                                                                                                                                                      • String ID: TMADEXCEPT
                                                                                                                                                                                      • API String ID: 4159136517-1465931417
                                                                                                                                                                                      • Opcode ID: 2e5e1ec3cdb0c02730e8ca8040a725a9e6ed48187e38d7a931c64d678382c5dc
                                                                                                                                                                                      • Instruction ID: ec2dfac468df73574147900598a82356e5db07548a296d9e2fc91c95b5b63c88
                                                                                                                                                                                      • Opcode Fuzzy Hash: 2e5e1ec3cdb0c02730e8ca8040a725a9e6ed48187e38d7a931c64d678382c5dc
                                                                                                                                                                                      • Instruction Fuzzy Hash: C3F01262A055193AD221726B5CC1CBF659C8E966A9305413FF904B7282DF7CED0152FE
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00689CE6, Relevance: 10.2, APIs: 8, Instructions: 158COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 50%
                                                                                                                                                                                      			E00689CE6(void* __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				char _v20;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int* _t68;
				signed int _t70;
				intOrPtr _t128;

				_push(0xffffffff);
				_push(0x693428);
				_push(0x69052c);
				_t68 =  *[fs:0x0];
				_push(_t68);
				 *[fs:0x0] = _t128;
				EnterCriticalSection(0x695ac8);
				_v8 = _v8 & 0x00000000;
				if( *0x695ac0 != 0) {
					if(_a16 == 0) {
						_t68 =  &_v32;
						_a16 = _t68;
					}
					0x690235(_a4);
					_v36 = _t68;
					if(_v36 == 0) {
						_v52 = _v52 & 0x00000000;
						0x690476( &_v20, 0xffffffff);
						_t70 = _v52;
						goto L29;
					} else {
						_v40 =  *(_v36 + 4);
						if(_a12 != 0) {
							if(_a12 != 2) {
								if(_a12 != 1) {
									 *_a16 =  *_a16 | 0xffffffff;
									SetLastError(0x57);
								} else {
									if(_a8 + _v40 <=  *( *_v36 + 8)) {
										if(_v40 + _a8 >= 0) {
											 *(_v36 + 4) = _a8 + _v40;
											 *_a16 =  *(_v36 + 4);
										} else {
											 *_a16 =  *_a16 | 0xffffffff;
											SetLastError(0x83);
										}
									} else {
										 *_a16 =  *_a16 | 0xffffffff;
										SetLastError(0x57);
									}
								}
							} else {
								if(_a8 <= 0) {
									if(_a8 >=  ~( *( *_v36 + 8))) {
										 *(_v36 + 4) = _a8 +  *( *_v36 + 8);
										 *_a16 =  *(_v36 + 4);
									} else {
										 *_a16 =  *_a16 | 0xffffffff;
										SetLastError(0x83);
									}
								} else {
									 *_a16 =  *_a16 | 0xffffffff;
									SetLastError(0x57);
								}
							}
							L27:
							_v48 = 1;
							0x690476( &_v20, 0xffffffff);
							_t70 = _v48;
							goto L29;
						}
						if(_a8 <=  *( *_v36 + 8)) {
							if(_a8 >= 0) {
								 *(_v36 + 4) = _a8;
								 *_a16 = _a8;
							} else {
								 *_a16 =  *_a16 | 0xffffffff;
								SetLastError(0x83);
							}
						} else {
							 *_a16 =  *_a16 | 0xffffffff;
							SetLastError(0x57);
						}
						goto L27;
					}
				} else {
					_v44 = _v44 & 0x00000000;
					0x690476( &_v20, 0xffffffff);
					_t70 = _v44;
					L29:
					 *[fs:0x0] = _v20;
					return _t70;
				}
			}














                                                                                                                                                                                      0x00689ce9
                                                                                                                                                                                      0x00689ceb
                                                                                                                                                                                      0x00689cf0
                                                                                                                                                                                      0x00689cf5
                                                                                                                                                                                      0x00689cfb
                                                                                                                                                                                      0x00689cfc
                                                                                                                                                                                      0x00689d10
                                                                                                                                                                                      0x00689d16
                                                                                                                                                                                      0x00689d21
                                                                                                                                                                                      0x00689d40
                                                                                                                                                                                      0x00689d42
                                                                                                                                                                                      0x00689d45
                                                                                                                                                                                      0x00689d45
                                                                                                                                                                                      0x00689d51
                                                                                                                                                                                      0x00689d56
                                                                                                                                                                                      0x00689d5d
                                                                                                                                                                                      0x00689e9f
                                                                                                                                                                                      0x00689ea7
                                                                                                                                                                                      0x00689eae
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00689d63
                                                                                                                                                                                      0x00689d69
                                                                                                                                                                                      0x00689d70
                                                                                                                                                                                      0x00689dc2
                                                                                                                                                                                      0x00689e1e
                                                                                                                                                                                      0x00689e79
                                                                                                                                                                                      0x00689e7e
                                                                                                                                                                                      0x00689e20
                                                                                                                                                                                      0x00689e2e
                                                                                                                                                                                      0x00689e48
                                                                                                                                                                                      0x00689e66
                                                                                                                                                                                      0x00689e72
                                                                                                                                                                                      0x00689e4a
                                                                                                                                                                                      0x00689e4d
                                                                                                                                                                                      0x00689e55
                                                                                                                                                                                      0x00689e55
                                                                                                                                                                                      0x00689e30
                                                                                                                                                                                      0x00689e33
                                                                                                                                                                                      0x00689e38
                                                                                                                                                                                      0x00689e38
                                                                                                                                                                                      0x00689e74
                                                                                                                                                                                      0x00689dc4
                                                                                                                                                                                      0x00689dc8
                                                                                                                                                                                      0x00689de7
                                                                                                                                                                                      0x00689e0a
                                                                                                                                                                                      0x00689e16
                                                                                                                                                                                      0x00689de9
                                                                                                                                                                                      0x00689dec
                                                                                                                                                                                      0x00689df4
                                                                                                                                                                                      0x00689df4
                                                                                                                                                                                      0x00689dca
                                                                                                                                                                                      0x00689dcd
                                                                                                                                                                                      0x00689dd2
                                                                                                                                                                                      0x00689dd2
                                                                                                                                                                                      0x00689e18
                                                                                                                                                                                      0x00689e84
                                                                                                                                                                                      0x00689e86
                                                                                                                                                                                      0x00689e91
                                                                                                                                                                                      0x00689e98
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00689e98
                                                                                                                                                                                      0x00689d7d
                                                                                                                                                                                      0x00689d93
                                                                                                                                                                                      0x00689dae
                                                                                                                                                                                      0x00689db7
                                                                                                                                                                                      0x00689d95
                                                                                                                                                                                      0x00689d98
                                                                                                                                                                                      0x00689da0
                                                                                                                                                                                      0x00689da0
                                                                                                                                                                                      0x00689d7f
                                                                                                                                                                                      0x00689d82
                                                                                                                                                                                      0x00689d87
                                                                                                                                                                                      0x00689d87
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00689db9
                                                                                                                                                                                      0x00689d23
                                                                                                                                                                                      0x00689d25
                                                                                                                                                                                      0x00689d2d
                                                                                                                                                                                      0x00689d34
                                                                                                                                                                                      0x00689ebf
                                                                                                                                                                                      0x00689ec2
                                                                                                                                                                                      0x00689ecd
                                                                                                                                                                                      0x00689ecd

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • EnterCriticalSection.KERNEL32(00695AC8), ref: 00689D10
                                                                                                                                                                                      • SetLastError.KERNEL32(00000057,?), ref: 00689D87
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CriticalEnterErrorLastSection
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3668107397-0
                                                                                                                                                                                      • Opcode ID: 8bc0be570ea940915c03c8f796ade4bbd5435633829d12fa72faca045612778c
                                                                                                                                                                                      • Instruction ID: 60a6c9d42475bdb0c6049a0c987d767ff23f11c2cd22daac944137cb87d0e715
                                                                                                                                                                                      • Opcode Fuzzy Hash: 8bc0be570ea940915c03c8f796ade4bbd5435633829d12fa72faca045612778c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F61E630504619DFDB04DF98D949AA97BF6FF09721F148209E866AB3A0C7349D01CF25
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068988D, Relevance: 9.2, APIs: 6, Instructions: 170COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 36%
                                                                                                                                                                                      			E0068988D(void* __ecx, void* _a4, intOrPtr _a8, intOrPtr _a16, long _a20, signed int* _a24) {
				signed int _v8;
				char _v20;
				void* _v32;
				long _v36;
				signed int _v40;
				signed int* _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				long _v64;
				signed int _v68;
				intOrPtr _v72;
				signed int _v76;
				signed int _v80;
				signed int* _t85;
				signed int _t87;
				long _t98;
				signed int _t126;
				intOrPtr _t139;

				_push(0xffffffff);
				_push(0x6933f8);
				_push(0x69052c);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t139;
				_push(__ecx);
				_push(__ecx);
				EnterCriticalSection(0x695ac8);
				_v32 = _v32 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t85 = _a24;
				 *_t85 =  *_t85 & 0x00000000;
				_v40 = _v40 & 0x00000000;
				_v36 = 2;
				if( *0x695ac0 == 0) {
					_v80 = _v80 & 0x00000000;
					0x690476( &_v20, 0xffffffff);
					_t87 = _v80;
					L31:
					 *[fs:0x0] = _v20;
					return _t87;
				}
				0x690235(_a4);
				_v44 = _t85;
				if(_v44 != 0) {
					_v48 =  *_v44;
					if(_a16 <=  *((intOrPtr*)(_v48 + 8))) {
						if(_a20 == 0) {
							_a20 =  *((intOrPtr*)(_v48 + 8)) - _a16;
						}
						if(_a20 + _a16 <=  *((intOrPtr*)(_v48 + 8))) {
							_v72 = _a8;
							if(_v72 > 0) {
								if(_v72 <= 2 || _v72 == 0xf001f) {
									_v36 = 4;
								}
							}
							_v32 = VirtualAlloc(0, _a20, 0x1000, 4);
							if(_v32 != 0) {
								_t98 = SetFilePointer(_a4,  *((intOrPtr*)(_v48 + 4)) + _a16, 0, 0);
								_t126 = _v48;
								_t128 =  *((intOrPtr*)(_t126 + 4)) + _a16;
								if(_t98 ==  *((intOrPtr*)(_t126 + 4)) + _a16) {
									_v52 = _v52 & 0x00000000;
									while(_v52 < _a20) {
										_v60 = _v60 & 0x00000000;
										if(E0068A7E1(_t128, _a4, _v32 + _v52, _a20 - _v52,  &_v60, 0,  &_v56) == 0 || _v56 == 0 || _v60 == 0) {
											goto L29;
										} else {
											_v52 = _v52 + _v60;
											continue;
										}
									}
									if(_v36 == 4 || VirtualProtect(_v32, _a20, _v36,  &_v64) != 0) {
										0x690303(_v32, _v48);
										 *_a24 = _v32;
										_v32 = _v32 & 0x00000000;
										_v40 = 1;
									}
									goto L29;
								}
							} else {
							}
							goto L29;
						} else {
							SetLastError(0x57);
							L29:
							_v76 = 1;
							0x690476( &_v20, 0xffffffff);
							_t87 = _v76;
							goto L31;
						}
					}
					SetLastError(0x57);
					goto L29;
				} else {
					_v68 = _v68 & 0x00000000;
					0x690476( &_v20, 0xffffffff);
					_t87 = _v68;
					goto L31;
				}
			}























                                                                                                                                                                                      0x00689890
                                                                                                                                                                                      0x00689892
                                                                                                                                                                                      0x00689897
                                                                                                                                                                                      0x006898a2
                                                                                                                                                                                      0x006898a3
                                                                                                                                                                                      0x006898aa
                                                                                                                                                                                      0x006898ab
                                                                                                                                                                                      0x006898b7
                                                                                                                                                                                      0x006898bd
                                                                                                                                                                                      0x006898c1
                                                                                                                                                                                      0x006898c5
                                                                                                                                                                                      0x006898c8
                                                                                                                                                                                      0x006898cb
                                                                                                                                                                                      0x006898cf
                                                                                                                                                                                      0x006898dd
                                                                                                                                                                                      0x00689a78
                                                                                                                                                                                      0x00689a80
                                                                                                                                                                                      0x00689a87
                                                                                                                                                                                      0x00689aae
                                                                                                                                                                                      0x00689ab1
                                                                                                                                                                                      0x00689abc
                                                                                                                                                                                      0x00689abc
                                                                                                                                                                                      0x006898ec
                                                                                                                                                                                      0x006898f1
                                                                                                                                                                                      0x006898f8
                                                                                                                                                                                      0x00689918
                                                                                                                                                                                      0x00689924
                                                                                                                                                                                      0x00689937
                                                                                                                                                                                      0x00689942
                                                                                                                                                                                      0x00689942
                                                                                                                                                                                      0x00689951
                                                                                                                                                                                      0x00689963
                                                                                                                                                                                      0x0068996a
                                                                                                                                                                                      0x00689970
                                                                                                                                                                                      0x0068997d
                                                                                                                                                                                      0x0068997d
                                                                                                                                                                                      0x00689970
                                                                                                                                                                                      0x00689996
                                                                                                                                                                                      0x0068999d
                                                                                                                                                                                      0x006899b5
                                                                                                                                                                                      0x006899bb
                                                                                                                                                                                      0x006899c1
                                                                                                                                                                                      0x006899c6
                                                                                                                                                                                      0x006899cd
                                                                                                                                                                                      0x006899d1
                                                                                                                                                                                      0x006899d9
                                                                                                                                                                                      0x006899ff
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00689a0f
                                                                                                                                                                                      0x00689a15
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00689a15
                                                                                                                                                                                      0x006899ff
                                                                                                                                                                                      0x00689a1e
                                                                                                                                                                                      0x00689a45
                                                                                                                                                                                      0x00689a50
                                                                                                                                                                                      0x00689a52
                                                                                                                                                                                      0x00689a56
                                                                                                                                                                                      0x00689a56
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00689a1e
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068999f
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00689953
                                                                                                                                                                                      0x00689955
                                                                                                                                                                                      0x00689a5d
                                                                                                                                                                                      0x00689a5f
                                                                                                                                                                                      0x00689a6a
                                                                                                                                                                                      0x00689a71
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00689a71
                                                                                                                                                                                      0x00689951
                                                                                                                                                                                      0x00689928
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x006898fa
                                                                                                                                                                                      0x006898fc
                                                                                                                                                                                      0x00689904
                                                                                                                                                                                      0x0068990b
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068990b

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • EnterCriticalSection.KERNEL32(00695AC8), ref: 006898B7
                                                                                                                                                                                      • SetLastError.KERNEL32(00000057,?), ref: 00689928
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CriticalEnterErrorLastSection
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3668107397-0
                                                                                                                                                                                      • Opcode ID: 215253b7b12f5bf23806c58d2694d0e921fff2a7c6e01427980283943c1c1481
                                                                                                                                                                                      • Instruction ID: e4e05300ec0116b7f3e289dbaf2614c39f6b005d0230cfc137f9282f48502592
                                                                                                                                                                                      • Opcode Fuzzy Hash: 215253b7b12f5bf23806c58d2694d0e921fff2a7c6e01427980283943c1c1481
                                                                                                                                                                                      • Instruction Fuzzy Hash: 89713571904208EFDF14EF98D885BFEBBBAFB08315F184219F512A6690C734A941CF64
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0043F2B8, Relevance: 9.1, APIs: 6, Instructions: 102COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • MoveToEx.GDI32(?,?,?,00000000), ref: 0043F2D7
                                                                                                                                                                                      • CreatePen.GDI32(00000000,00000001,?), ref: 0043F371
                                                                                                                                                                                      • SelectObject.GDI32(?,?), ref: 0043F37F
                                                                                                                                                                                      • LineTo.GDI32(?,?,?), ref: 0043F390
                                                                                                                                                                                      • SelectObject.GDI32(?,?), ref: 0043F39A
                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 0043F3A3
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Object$Select$CreateDeleteLineMove
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3907703346-0
                                                                                                                                                                                      • Opcode ID: bc3277a3a6e910faeaf95c971918460721eb197459c97cc412814937661b756e
                                                                                                                                                                                      • Instruction ID: fd3c1981277ced9873596e638696e9c87acc2a29bd9f2813ed39731ebf14d088
                                                                                                                                                                                      • Opcode Fuzzy Hash: bc3277a3a6e910faeaf95c971918460721eb197459c97cc412814937661b756e
                                                                                                                                                                                      • Instruction Fuzzy Hash: 4D313E72E01519AFDB00DEADCD81BEEB7F9EF48300F148139F914E7645D678AA018BA4
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0043E904, Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • CreatePen.GDI32(00000000,00000001), ref: 0043E915
                                                                                                                                                                                      • SelectObject.GDI32(?,00000000), ref: 0043E927
                                                                                                                                                                                      • MoveToEx.GDI32(?,?,?,00000000), ref: 0043E941
                                                                                                                                                                                      • LineTo.GDI32(?,?,?), ref: 0043E960
                                                                                                                                                                                      • SelectObject.GDI32(?,00000000), ref: 0043E970
                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 0043E976
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Object$Select$CreateDeleteLineMove
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3907703346-0
                                                                                                                                                                                      • Opcode ID: e7f3efecfe07362aaad780e8f9df4d99058c8504e8d939d8551dd1f1a864e146
                                                                                                                                                                                      • Instruction ID: fb3e0664bc353f7d230b7bdb37102da7edc4c3633353dfbd60649d5daa3712da
                                                                                                                                                                                      • Opcode Fuzzy Hash: e7f3efecfe07362aaad780e8f9df4d99058c8504e8d939d8551dd1f1a864e146
                                                                                                                                                                                      • Instruction Fuzzy Hash: E411B776605104AFE700EB6EC889EAAF7ECEF48654B048466BD04DB352D674ED408665
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00438E70, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 236COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 0042C174: GetVersion.KERNEL32(?,00000001,00445D18,00000010,00000000,00445EC5,?,T$E,005FA000,00000000), ref: 0042C178
                                                                                                                                                                                        • Part of subcall function 0042C174: Sleep.KERNEL32(0000000A,?,00000001,00445D18,00000010,00000000,00445EC5,?,T$E,005FA000,00000000), ref: 0042C1D6
                                                                                                                                                                                      • GetWindowLongA.USER32(?,000000EC), ref: 00439098
                                                                                                                                                                                      • SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003), ref: 004390BB
                                                                                                                                                                                      • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 0043910A
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Window$LongSleepVersion
                                                                                                                                                                                      • String ID: MAPISendMail$mapi32.dll
                                                                                                                                                                                      • API String ID: 3125456618-3507761728
                                                                                                                                                                                      • Opcode ID: 612646a3e70cfa799d17e86a081f11344a0fc2c67ad4611aee223f9c44af3402
                                                                                                                                                                                      • Instruction ID: bc414e178ffca88585dd616e77570e667d23069d8621485faaceb839cfd020aa
                                                                                                                                                                                      • Opcode Fuzzy Hash: 612646a3e70cfa799d17e86a081f11344a0fc2c67ad4611aee223f9c44af3402
                                                                                                                                                                                      • Instruction Fuzzy Hash: 47913270D042099FDB10EFA9C882B9EB7B4AB48314F11517AF505BB3D1D778AD41CBA9
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00426270, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                        • Part of subcall function 00424994: GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 004249CF
                                                                                                                                                                                      • GetSystemMetrics.USER32(00000047), ref: 004262B5
                                                                                                                                                                                      • GetSystemMetrics.USER32(00000048), ref: 004262C2
                                                                                                                                                                                      • GetSystemMetrics.USER32(00000047), ref: 004262CE
                                                                                                                                                                                      • SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00426316
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: MetricsSystem$ExtentMessagePoint32SendText
                                                                                                                                                                                      • String ID: Button
                                                                                                                                                                                      • API String ID: 381378357-1034594571
                                                                                                                                                                                      • Opcode ID: 9610cefe7a93072c7f39dcc76411e37b7b33c662b48549c0712d49d9d909542e
                                                                                                                                                                                      • Instruction ID: 140efc3b170549be64b82a71b3e88e3ee7b879dcb084241c1a3ff13094ca3202
                                                                                                                                                                                      • Opcode Fuzzy Hash: 9610cefe7a93072c7f39dcc76411e37b7b33c662b48549c0712d49d9d909542e
                                                                                                                                                                                      • Instruction Fuzzy Hash: 52217771B04204AFDB14DF69D8C2B5A77E8EB89704F91407ABA04EB3C2D678DD40CB59
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0044DE64, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56threadCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • FindWindowA.USER32(TAppBuilder,00000000), ref: 0044DE9E
                                                                                                                                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0044DEB0
                                                                                                                                                                                      • EnumWindows.USER32(0044DD8C,?), ref: 0044DEE5
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Window$EnumFindProcessThreadWindows
                                                                                                                                                                                      • String ID: TAppBuilder$madToolsMsgHandlerWindow
                                                                                                                                                                                      • API String ID: 1333186420-3019852503
                                                                                                                                                                                      • Opcode ID: 9da986fc8edb66deb545d16ab0d035e449b0e2ccb688b5b0ecfc29d788371d95
                                                                                                                                                                                      • Instruction ID: d0c4163d6ed96c2b33b89127c74da93fb1e7872c5d33eae7b17881679fe408b3
                                                                                                                                                                                      • Opcode Fuzzy Hash: 9da986fc8edb66deb545d16ab0d035e449b0e2ccb688b5b0ecfc29d788371d95
                                                                                                                                                                                      • Instruction Fuzzy Hash: 21117774E14608AFE710FBD1CC42A9EB3BCEB85304FA14477A910B32D1DB78AE058B59
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004037BC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004037DE
                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,0040382D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403811
                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,00403834,00000000,?,00000004,00000000,0040382D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403827
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CloseOpenQueryValue
                                                                                                                                                                                      • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                                                                                                      • API String ID: 3677997916-4173385793
                                                                                                                                                                                      • Opcode ID: 846bedb45d8f661a136d33421162aa7e50a724fc78f488bc3fb1c59c8c3c0414
                                                                                                                                                                                      • Instruction ID: 1d668e07ac8a77720ccd8c4c968de9b832e89e20fa2e02c051f605d2b6028c7c
                                                                                                                                                                                      • Opcode Fuzzy Hash: 846bedb45d8f661a136d33421162aa7e50a724fc78f488bc3fb1c59c8c3c0414
                                                                                                                                                                                      • Instruction Fuzzy Hash: 9A017576940348BADB11EF91DC42FB9B7ECEB04B01F5080B6F904E76D0E6789A14D769
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00431A6C, Relevance: 7.8, APIs: 5, Instructions: 299windowtimeCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • SendMessageTimeoutA.USER32(000A007E,00000400,00000001,00000000,00000000,000005DC,005FA000), ref: 00431C5C
                                                                                                                                                                                      • SendMessageTimeoutA.USER32(000A007E,00000400,00000000,00000000,00000000,7FFFFFFE,00000309), ref: 00431C8B
                                                                                                                                                                                      • GetWindowLongA.USER32(00000000,000000EC), ref: 00431D5C
                                                                                                                                                                                      • SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000003,?,00607910,?,00000000), ref: 00431D81
                                                                                                                                                                                      • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,00607910,?,00000000), ref: 00431DA9
                                                                                                                                                                                        • Part of subcall function 00445F20: EnterCriticalSection.KERNEL32(02B32564,005FA000,?,?,00431AE5,?,00607910,?,00000000), ref: 00445F3C
                                                                                                                                                                                        • Part of subcall function 00445F20: LeaveCriticalSection.KERNEL32(02B32564,00445FC9,02B32564,005FA000,?,?,00431AE5,?,00607910,?,00000000), ref: 00445FBC
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Window$CriticalMessageSectionSendTimeout$EnterLeaveLong
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1340963564-0
                                                                                                                                                                                      • Opcode ID: d2c148c070ac9192014aafc63beff1f18ef92b4699fb4e99e3f1b474d1f6c5a9
                                                                                                                                                                                      • Instruction ID: 9c9546ac3f015aa90516baba5e80a363fd8e856eab11c1c1d8e9aee7818f423b
                                                                                                                                                                                      • Opcode Fuzzy Hash: d2c148c070ac9192014aafc63beff1f18ef92b4699fb4e99e3f1b474d1f6c5a9
                                                                                                                                                                                      • Instruction Fuzzy Hash: 98C1D630904248AFDF10DF54C845BEEB7F5AF09314F14A5ABE8106B3A1C779AE46CB69
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00432380, Relevance: 7.6, APIs: 5, Instructions: 87synchronizationwindowsleepCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00432396
                                                                                                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000001,0000EA60,00000000,00000000,00000000,00000000,00000000,00432496,?,?), ref: 004323CA
                                                                                                                                                                                      • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004323DF
                                                                                                                                                                                      • Sleep.KERNEL32(0000EA60,00000000,00000000,00000000,00000000,00000000,00432496,?,?,000000FF), ref: 004323E5
                                                                                                                                                                                      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00432416
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: MessageObjectSingleWait$PeekPostSleep
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 246172536-0
                                                                                                                                                                                      • Opcode ID: 28f874f36f85dc648501992ffb576a62e84d1b74d72e09a3fd7f3c99b9e1a4a6
                                                                                                                                                                                      • Instruction ID: dec896a5644195750a9caf4b8a5c8f83e805d9f815fa85e5e6a7d6ba481035eb
                                                                                                                                                                                      • Opcode Fuzzy Hash: 28f874f36f85dc648501992ffb576a62e84d1b74d72e09a3fd7f3c99b9e1a4a6
                                                                                                                                                                                      • Instruction Fuzzy Hash: 5621F930780300AFEB308B399D45F7232E6976D710F10942AFA05D72D1D6FC7849EA29
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0043A5D8, Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0043A619
                                                                                                                                                                                      • inet_addr.WS2_32(00000000), ref: 0043A62E
                                                                                                                                                                                      • gethostbyname.WS2_32(00000000), ref: 0043A643
                                                                                                                                                                                      • htons.WS2_32(?), ref: 0043A66E
                                                                                                                                                                                      • connect.WS2_32(B70F0B4E,B70F0B4E,00000010), ref: 0043A683
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: connectgethostbynamehtonsinet_addrsocket
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2758610518-0
                                                                                                                                                                                      • Opcode ID: dae92c6cf85b471c6c9a36b15e454b55c24dd6688ec01e62c0eec8775bf61254
                                                                                                                                                                                      • Instruction ID: 809d0a6be3f584be98ab2d2e58dd21187b4c30ad83b2da7377ee8bb7c1c1d6da
                                                                                                                                                                                      • Opcode Fuzzy Hash: dae92c6cf85b471c6c9a36b15e454b55c24dd6688ec01e62c0eec8775bf61254
                                                                                                                                                                                      • Instruction Fuzzy Hash: D621F770A00204AFC700EFA5C846A9EB7F8EF48314F56056AF890EB3E1D7789D51CB59
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0040C0F4, Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • VirtualQuery.KERNEL32(-0000004C,?,0000001C,00607910,-0000004C,?,0042C2AC,00000000,0042C430,?,00000000,0042C455,?,00607910,?,00000000), ref: 0040C10C
                                                                                                                                                                                      • GetVersion.KERNEL32(-0000004C,?,0000001C,00607910,-0000004C,?,0042C2AC,00000000,0042C430,?,00000000,0042C455,?,00607910,?,00000000), ref: 0040C137
                                                                                                                                                                                      • GetModuleFileNameA.KERNEL32(?,?,00000104,-0000004C,?,0000001C,00607910,-0000004C,?,0042C2AC,00000000,0042C430,?,00000000,0042C455), ref: 0040C152
                                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,-0000004C,?,0000001C,00607910,-0000004C,?,0042C2AC,00000000,0042C430,?,00000000,0042C455), ref: 0040C170
                                                                                                                                                                                      • GetVersion.KERNEL32(?,?,00000104,-0000004C,?,0000001C,00607910,-0000004C,?,0042C2AC,00000000,0042C430,?,00000000,0042C455), ref: 0040C184
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FileModuleNameVersion$QueryVirtual
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3263203797-0
                                                                                                                                                                                      • Opcode ID: f455460b28e76d056fe319c829ca2664afccd85581205a014853d5563891295a
                                                                                                                                                                                      • Instruction ID: 22667a5fcd4718f05c8b3b96abf03368a7852287611fde2aee556b70e3251d44
                                                                                                                                                                                      • Opcode Fuzzy Hash: f455460b28e76d056fe319c829ca2664afccd85581205a014853d5563891295a
                                                                                                                                                                                      • Instruction Fuzzy Hash: A0116275648306DBD710DB65C8C179B73D8AF88354F04093EBAC4EB3D1E27CD9449A56
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 006888C0, Relevance: 7.6, APIs: 5, Instructions: 67sleepsynchronizationCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 54%
                                                                                                                                                                                      			E006888C0(void* __edi, void* __esi, intOrPtr _a4) {
				int _v8;
				int _v16;
				void** _v20;
				char _v24;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t32;
				DWORD* _t33;
				void* _t39;
				void* _t40;
				void* _t41;

				_t41 = _t40 - 0x104;
				 *0x695a1c = _a4;
				_v20 = 0x6885e0;
				if( *_v20 != 0) {
					_v24 = 0x103;
					while(1) {
						_t33 =  &_v24;
						if(GetExitCodeProcess( *_v20, _t33) == 0 || _v24 != 0x103) {
							break;
						}
						WaitForSingleObject( *_v20, 0xffffffff);
					}
					Sleep(0x64);
					_t32 =  *0x695a24; // 0x0
					E0068D8ED(_t32, __eflags, _t32);
					_t41 = _t41 + 4;
					TerminateProcess(GetCurrentProcess(), 0);
				}
				_v16 = 0;
				_v8 = 0;
				ds =  *((intOrPtr*)(L00688662(0x2d0000)));
				_push(_t33);
				__eflags =  *[ss:eax] & _t33;
				asm("popad");
				_pop(_t16);
				asm("int 0xa4");
				asm("bound ecx, [ecx+ebx*2-0x1b]");
				_t17 = _t16 + 0x1f;
				 *0x50313e4b = _t17;
				asm("insd");
				asm("int1");
				asm("std");
				asm("lock jecxz 0xffffff8d");
				asm("sbb [cs:ecx], edi");
				_pop(_t39);
				__eflags =  *0x35697c20 - _t39;
				asm("fisub dword [ebp-0x2056b01c]");
				asm("adc al, 0x66");
				return _t17;
			}














                                                                                                                                                                                      0x006888c3
                                                                                                                                                                                      0x006888ce
                                                                                                                                                                                      0x006888d3
                                                                                                                                                                                      0x006888e0
                                                                                                                                                                                      0x006888e2
                                                                                                                                                                                      0x006888e9
                                                                                                                                                                                      0x006888e9
                                                                                                                                                                                      0x006888fb
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x0068890e
                                                                                                                                                                                      0x0068890e
                                                                                                                                                                                      0x00688918
                                                                                                                                                                                      0x0068891e
                                                                                                                                                                                      0x00688925
                                                                                                                                                                                      0x0068892a
                                                                                                                                                                                      0x00688936
                                                                                                                                                                                      0x00688936
                                                                                                                                                                                      0x0068893c
                                                                                                                                                                                      0x00688943
                                                                                                                                                                                      0x00688956
                                                                                                                                                                                      0x00688958
                                                                                                                                                                                      0x00688959
                                                                                                                                                                                      0x0068895c
                                                                                                                                                                                      0x0068895d
                                                                                                                                                                                      0x0068895e
                                                                                                                                                                                      0x00688960
                                                                                                                                                                                      0x00688966
                                                                                                                                                                                      0x00688968
                                                                                                                                                                                      0x0068896d
                                                                                                                                                                                      0x0068896e
                                                                                                                                                                                      0x0068896f
                                                                                                                                                                                      0x00688970
                                                                                                                                                                                      0x00688973
                                                                                                                                                                                      0x00688976
                                                                                                                                                                                      0x0068897e
                                                                                                                                                                                      0x00688984
                                                                                                                                                                                      0x0068898a
                                                                                                                                                                                      0x0068898c

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetExitCodeProcess.KERNEL32 ref: 006888F3
                                                                                                                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF,002D0000), ref: 0068890E
                                                                                                                                                                                      • Sleep.KERNEL32(00000064,002D0000), ref: 00688918
                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000000), ref: 0068892F
                                                                                                                                                                                      • TerminateProcess.KERNEL32(00000000), ref: 00688936
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Process$CodeCurrentExitObjectSingleSleepTerminateWait
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2193199854-0
                                                                                                                                                                                      • Opcode ID: 1e0326f6e530d88493b1d38d759fa8794137f1a95d23da9cc5432bc7edb69d24
                                                                                                                                                                                      • Instruction ID: 64935fc30731b2e995114be468fa0491e1ea4bd70328842594547ad78fe23d2d
                                                                                                                                                                                      • Opcode Fuzzy Hash: 1e0326f6e530d88493b1d38d759fa8794137f1a95d23da9cc5432bc7edb69d24
                                                                                                                                                                                      • Instruction Fuzzy Hash: 5721CFB4900205DFCB10DFA4CC48BAEB77ABF09714F104259E512A73A0DB749A46CB61
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004325B8, Relevance: 7.5, APIs: 5, Instructions: 40threadCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 004325C4
                                                                                                                                                                                      • InterlockedIncrement.KERNEL32(005FD438), ref: 004325E1
                                                                                                                                                                                      • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000,00000001,00445D3A,00000000,000000FF,00000000,00000000,00000010,00000000,00445EC5,?,T$E,005FA000), ref: 004325F2
                                                                                                                                                                                      • InterlockedDecrement.KERNEL32(005FD438), ref: 00432603
                                                                                                                                                                                      • SetEvent.KERNEL32(00000000,00000001,00445D3A,00000000,000000FF,00000000,00000000,00000010,00000000,00445EC5,?,T$E,005FA000,00000000), ref: 0043261B
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: EventInterlocked$CreateCurrentDecrementIncrementThread
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 1795649823-0
                                                                                                                                                                                      • Opcode ID: ae4b4dec4712e350aa0650b70b344b901bc27ae2bbc9e14b72ce37f93b4b6bf4
                                                                                                                                                                                      • Instruction ID: ce942dd0e334b2d9eaacfc643de30fd5d71ee4f41a3f8cdf8da9684b60f541e1
                                                                                                                                                                                      • Opcode Fuzzy Hash: ae4b4dec4712e350aa0650b70b344b901bc27ae2bbc9e14b72ce37f93b4b6bf4
                                                                                                                                                                                      • Instruction Fuzzy Hash: E50131706852009ADB10EB7D9D4A77B36F56B28304F50152AAE04D62E1E6FC7409FF39
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00688CA4, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 29%
                                                                                                                                                                                      			E00688CA4(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed char* _a16, char** _a20) {
				intOrPtr _v8;
				int _v12;
				unsigned int _v16;
				int _v20;
				intOrPtr _t40;
				signed char _t68;
				signed int _t75;
				void* _t90;

				if(( *0x695aac & 1) == 0) {
					_t68 =  *0x695aac & 0x000000ff | 0x00000001;
					 *0x695aac = _t68;
					0x68f66e("PathMatchSpecA", "shlwapi.dll");
					 *0x695aa8 = _t68;
				}
				if(_a8 == 0) {
					L4:
					_t40 = _a12 + _a8;
					0x690610(_t40, 0x5c);
					_v8 = _t40;
					if(_v8 == 0) {
						 *_a16 =  *_a16 & 0x00000000;
						_v20 = PathMatchSpecA(_a12 + _a8, _a4 + _a8);
						 *_a20 = _a12 + _a8;
						return _v20;
					}
					 *_a16 = 1;
					_v16 = _v8 - _a12 + _a8;
					if(_v16 + 1 <= 0x80) {
						_t90 = _a12 + _a8;
						_t75 = _v16 >> 2;
						memcpy(_t90 + _t75 + _t75, _t90, memcpy(0x695a28, _t90, _t75 << 2) & 0x00000003);
						0x695a28[_v16] = 0x695a28[_v16] & 0x00000000;
						 *_a20 = 0x695a28;
						_v12 = PathMatchSpecA(0x695a28, _a4 + _a8);
						return _v12;
					}
					return 0;
				} else {
					asm("repe cmpsb");
					if(0 != 0) {
						return 0;
					}
					goto L4;
				}
			}











                                                                                                                                                                                      0x00688cb8
                                                                                                                                                                                      0x00688cc1
                                                                                                                                                                                      0x00688cc3
                                                                                                                                                                                      0x00688cd2
                                                                                                                                                                                      0x00688cd9
                                                                                                                                                                                      0x00688cd9
                                                                                                                                                                                      0x00688ce2
                                                                                                                                                                                      0x00688cf7
                                                                                                                                                                                      0x00688cfc
                                                                                                                                                                                      0x00688d00
                                                                                                                                                                                      0x00688d07
                                                                                                                                                                                      0x00688d0e
                                                                                                                                                                                      0x00688d7f
                                                                                                                                                                                      0x00688d96
                                                                                                                                                                                      0x00688da2
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00688da4
                                                                                                                                                                                      0x00688d13
                                                                                                                                                                                      0x00688d21
                                                                                                                                                                                      0x00688d2d
                                                                                                                                                                                      0x00688d39
                                                                                                                                                                                      0x00688d43
                                                                                                                                                                                      0x00688d4d
                                                                                                                                                                                      0x00688d52
                                                                                                                                                                                      0x00688d5c
                                                                                                                                                                                      0x00688d74
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00688d77
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00688ce4
                                                                                                                                                                                      0x00688cef
                                                                                                                                                                                      0x00688cf1
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00688da9
                                                                                                                                                                                      0x00000000
                                                                                                                                                                                      0x00688cf1

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • PathMatchSpecA.SHLWAPI(00695A28,00000000,024B0AF8,024B09F4,00000000), ref: 00688D6E
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: MatchPathSpec
                                                                                                                                                                                      • String ID: PathMatchSpecA$shlwapi.dll
                                                                                                                                                                                      • API String ID: 3588000350-1850424724
                                                                                                                                                                                      • Opcode ID: d4d681f8841aadaed2aff48510eb239c8951212f443be9da5c78281a6dbf2643
                                                                                                                                                                                      • Instruction ID: fa21303ae6c48e0c41d3ae625a9de3bf7e06d3ceab1516d15e0d738c156cbc0f
                                                                                                                                                                                      • Opcode Fuzzy Hash: d4d681f8841aadaed2aff48510eb239c8951212f443be9da5c78281a6dbf2643
                                                                                                                                                                                      • Instruction Fuzzy Hash: 27314672A00609AFDF05DF68D881A9E3BFAEF08324F148545FC16DB781D670EA51CB58
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068E82B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 62%
                                                                                                                                                                                      			E0068E82B(void* __ecx, intOrPtr _a4, intOrPtr _a8, CHAR* _a12, char _a16) {
				signed int _v8;
				intOrPtr _v20;
				char* _v32;
				CHAR* _v36;
				int _v40;
				void* _t33;
				intOrPtr _t44;

				_push(0xffffffff);
				_push(0x693518);
				_push(0x69052c);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t44;
				EnterCriticalSection( *0x006885E4 + 0x48);
				_v8 = _v8 & 0x00000000;
				_v36 = 0x695b10;
				_push(_a8);
				_push(_a4);
				_v40 = wsprintfA(_v36, "Error at %s:%dReason: ");
				_v32 =  &_a16;
				wvsprintfA( &(_v36[_v40]), _a12, _v32);
				_v32 = _v32 & 0x00000000;
				E0068E7D5(_v36);
				E0068E7A0(_v36);
				_v8 = _v8 | 0xffffffff;
				_t33 = E0068E8BF();
				 *[fs:0x0] = _v20;
				return _t33;
			}










                                                                                                                                                                                      0x0068e82e
                                                                                                                                                                                      0x0068e830
                                                                                                                                                                                      0x0068e835
                                                                                                                                                                                      0x0068e840
                                                                                                                                                                                      0x0068e841
                                                                                                                                                                                      0x0068e85c
                                                                                                                                                                                      0x0068e862
                                                                                                                                                                                      0x0068e866
                                                                                                                                                                                      0x0068e86d
                                                                                                                                                                                      0x0068e870
                                                                                                                                                                                      0x0068e884
                                                                                                                                                                                      0x0068e88a
                                                                                                                                                                                      0x0068e89a
                                                                                                                                                                                      0x0068e8a0
                                                                                                                                                                                      0x0068e8a7
                                                                                                                                                                                      0x0068e8af
                                                                                                                                                                                      0x0068e8b4
                                                                                                                                                                                      0x0068e8b8
                                                                                                                                                                                      0x0068e8d5
                                                                                                                                                                                      0x0068e8e0

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • EnterCriticalSection.KERNEL32(024B0440), ref: 0068E85C
                                                                                                                                                                                      • wsprintfA.USER32 ref: 0068E87B
                                                                                                                                                                                      • wvsprintfA.USER32(?,?,?), ref: 0068E89A
                                                                                                                                                                                        • Part of subcall function 0068E7A0: ChangeDisplaySettingsA.USER32(00000000,00000000), ref: 0068E7AB
                                                                                                                                                                                        • Part of subcall function 0068E7A0: MessageBoxA.USER32 ref: 0068E7BE
                                                                                                                                                                                        • Part of subcall function 0068E7A0: GetCurrentProcess.KERNEL32(00000000,?,0068E94B,?,?,?,?,?,?,?,00000000,0069052C,00693528,000000FF,?,00688B8D), ref: 0068E7C6
                                                                                                                                                                                        • Part of subcall function 0068E7A0: TerminateProcess.KERNEL32(00000000,?,0068E94B,?,?,?,?,?,?,?,00000000,0069052C,00693528,000000FF,?,00688B8D), ref: 0068E7CD
                                                                                                                                                                                        • Part of subcall function 0068E8BF: LeaveCriticalSection.KERNEL32(024B0440,0068E8BD), ref: 0068E8CB
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CriticalProcessSection$ChangeCurrentDisplayEnterLeaveMessageSettingsTerminatewsprintfwvsprintf
                                                                                                                                                                                      • String ID: Error at %s:%dReason:
                                                                                                                                                                                      • API String ID: 1133955834-961022370
                                                                                                                                                                                      • Opcode ID: 108c023aa95facecf5ef007a72260641e58a67f23541bbbba2a092ae1221f4bb
                                                                                                                                                                                      • Instruction ID: a1272caa66c16dd22622031d40702c34b874728716aae04d2e0ddd64f508a35b
                                                                                                                                                                                      • Opcode Fuzzy Hash: 108c023aa95facecf5ef007a72260641e58a67f23541bbbba2a092ae1221f4bb
                                                                                                                                                                                      • Instruction Fuzzy Hash: B9111CB6900218EFCF01AF94CD06BDEBBBAFB04711F004619F411A76A1D73A9A10CF64
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00412E64, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetVersion.KERNEL32(00000000,00412EE8,?,00000000,00000000,00000000,?,00412F4B,?,00000000,00412F70,?,?), ref: 00412E90
                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(?,00000000,00412EE8,?,00000000,00000000,00000000,?,00412F4B,?,00000000,00412F70,?,?), ref: 00412EAD
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?,00000000,00412EE8,?,00000000,00000000,00000000,?,00412F4B,?,00000000,00412F70,?,?), ref: 00412EBD
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: HandleModule$Version
                                                                                                                                                                                      • String ID: >0';09fg{199
                                                                                                                                                                                      • API String ID: 1014407405-719157153
                                                                                                                                                                                      • Opcode ID: 275d76fa8e0bdc42ef469e2a6467497d3318c3539c4231b2abc36f330a4088c5
                                                                                                                                                                                      • Instruction ID: 54d1675df772ca940160094fd9df4543ef9a835a4984107498cff26b08164f4c
                                                                                                                                                                                      • Opcode Fuzzy Hash: 275d76fa8e0bdc42ef469e2a6467497d3318c3539c4231b2abc36f330a4088c5
                                                                                                                                                                                      • Instruction Fuzzy Hash: 6401A230A44304AFE710DBA1CE42B9E77EDE708308F60146AFA00E6690D77869A0D62E
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0040BEDC, Relevance: 6.1, APIs: 4, Instructions: 149synchronizationthreadCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040BF04
                                                                                                                                                                                      • WaitForSingleObject.KERNEL32(00000254,000000FF), ref: 0040BF14
                                                                                                                                                                                      • IsWindow.USER32(?), ref: 0040C00C
                                                                                                                                                                                      • ReleaseMutex.KERNEL32(00000254,0040C09A,00000254,000000FF), ref: 0040C08D
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CurrentMutexObjectReleaseSingleThreadWaitWindow
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3208048871-0
                                                                                                                                                                                      • Opcode ID: ae59ee08c1104686800ee556cc089dcbe803130fc6de61ddeef42e814996db68
                                                                                                                                                                                      • Instruction ID: 349ed9152cc61fac1390ed2cf01f05ad9c8a19a611f7ae9e7dabc89df224534f
                                                                                                                                                                                      • Opcode Fuzzy Hash: ae59ee08c1104686800ee556cc089dcbe803130fc6de61ddeef42e814996db68
                                                                                                                                                                                      • Instruction Fuzzy Hash: F7516E31A00109CFCB10DF59D9C1A6BB7A5FB45358B24827AE808EB3A1E735AD51CBD8
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00459DD8, Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00459E87
                                                                                                                                                                                      • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00459EA3
                                                                                                                                                                                      • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00459F1A
                                                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 00459F43
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 920484758-0
                                                                                                                                                                                      • Opcode ID: 872affc479cb4ba8f9e851afa09399f46918b7aba8d055d8bc924790bd140f9c
                                                                                                                                                                                      • Instruction ID: 6be4f358f5cfd21a05e0316b60066d43cd18b87475852423466a2bdf2511df4d
                                                                                                                                                                                      • Opcode Fuzzy Hash: 872affc479cb4ba8f9e851afa09399f46918b7aba8d055d8bc924790bd140f9c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 9A411F75A0121DDBCB61DB59CC91BDAB3BCAB48705F0041DAE948E7352DA38AF888F54
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00689ABF, Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • EnterCriticalSection.KERNEL32(00695AC8), ref: 00689AE9
                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?), ref: 00689B3F
                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,00000000), ref: 00689B49
                                                                                                                                                                                      • DuplicateHandle.KERNEL32(00000000), ref: 00689B50
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CurrentProcess$CriticalDuplicateEnterHandleSection
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 3636454022-0
                                                                                                                                                                                      • Opcode ID: be27807574e3fb6f7ad841ce1fddda290b561b1e9e66978b2b322621894a9a69
                                                                                                                                                                                      • Instruction ID: bb666b53e748feb997cfddb8f58cc1b6f519ecf5cf7b6f944b2d8cc56762da6c
                                                                                                                                                                                      • Opcode Fuzzy Hash: be27807574e3fb6f7ad841ce1fddda290b561b1e9e66978b2b322621894a9a69
                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A311671904218EFDF15EF98EC45FAE77BAFB08721F148219F525AA6D0C7759900CB28
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00421118, Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 00421166
                                                                                                                                                                                      • CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 00421186
                                                                                                                                                                                      • SelectObject.GDI32(?,?), ref: 004211B3
                                                                                                                                                                                      • DeleteDC.GDI32(?), ref: 004211C2
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Create$CompatibleDeleteObjectSectionSelect
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 4257765504-0
                                                                                                                                                                                      • Opcode ID: b17648be7af0e6145d85bdf13f3e75213a0648f60e758f74541efb09527dcae8
                                                                                                                                                                                      • Instruction ID: 1e16b369fa67c417119442061e1b4e59c749474209967899c82ef8b761f9d776
                                                                                                                                                                                      • Opcode Fuzzy Hash: b17648be7af0e6145d85bdf13f3e75213a0648f60e758f74541efb09527dcae8
                                                                                                                                                                                      • Instruction Fuzzy Hash: E1213870A04205AFE710DF59D881B9ABBF4FF89314F60852AF944EB390D774AD90CBA5
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042E25C, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 70memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,?,00000008,00000000,-0000001A,00000000,?,0042E449,00000000,00000000,00000000,00000000,00000001,00000000,|pC,00000000), ref: 0042E27E
                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,00000040,?,00000008,00000000,-0000001A,00000000,?,0042E449,00000000,00000000,00000000,00000000,00000001,00000000,|pC), ref: 0042E295
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,00000001,00000008,00000000,-0000001A,00000000,?,0042E449,00000000,00000000,00000000,00000000,00000001,00000000,|pC,00000000), ref: 0042E2A6
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Local$Alloc$Free
                                                                                                                                                                                      • String ID: 'B
                                                                                                                                                                                      • API String ID: 209276640-1013193731
                                                                                                                                                                                      • Opcode ID: d676fbc91f9ab19ef8dd3de7068da17e71fe077dbb17b5e6231613199da1c028
                                                                                                                                                                                      • Instruction ID: 19ee342adb76c7c48b5d11c1e2e5e861cfa44e34713da2f18f0219dd324557d5
                                                                                                                                                                                      • Opcode Fuzzy Hash: d676fbc91f9ab19ef8dd3de7068da17e71fe077dbb17b5e6231613199da1c028
                                                                                                                                                                                      • Instruction Fuzzy Hash: 23214A356042259FCB00DF5CD9C1D5A7BE5EF99310B1180A9EA40AB366CB34FD01CBA5
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0043BBC0, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 51memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000040,?,?,00000000,00000000,?,B70F0B92,0043BF04,?,?,-00000001,00000000,00000000,00000000,B70F0BAA,0043C43B), ref: 0043BC08
                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,?,00000000,00000000,?,B70F0B92,0043BF04,?,?,-00000001,00000000,00000000,00000000,B70F0BAA,0043C43B,B70F0BAA), ref: 0043BC29
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Local$AllocFree
                                                                                                                                                                                      • String ID: InternetQueryOptionA$wininet.dll
                                                                                                                                                                                      • API String ID: 2012307162-3276249405
                                                                                                                                                                                      • Opcode ID: 3be8ad25b74754897b8396812fca5120a472dac4a785b0120672350144ca993e
                                                                                                                                                                                      • Instruction ID: 0b1dfe1f02c53ed3b24e606b159117424296f1c035b87623e9ae62471a08c91a
                                                                                                                                                                                      • Opcode Fuzzy Hash: 3be8ad25b74754897b8396812fca5120a472dac4a785b0120672350144ca993e
                                                                                                                                                                                      • Instruction Fuzzy Hash: FC016261B442097AE620B6A59C43F6F62ACDB48755F10103BB704FA1C1DFB8AE0092A9
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00424A08, Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • InflateRect.USER32(?), ref: 00424A26
                                                                                                                                                                                      • CreateSolidBrush.GDI32(?), ref: 00424A2F
                                                                                                                                                                                      • FillRect.USER32(?,?,00000000), ref: 00424A3C
                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 00424A42
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Rect$BrushCreateDeleteFillInflateObjectSolid
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 2337690274-0
                                                                                                                                                                                      • Opcode ID: fd7f8c9fc395e0268748c1d1e190c2a0623abfc1c46801e6836385f398eb06b0
                                                                                                                                                                                      • Instruction ID: adc012cdce8ce5855f2d405109d280a060c724324c04b767c54b41ba5d789d59
                                                                                                                                                                                      • Opcode Fuzzy Hash: fd7f8c9fc395e0268748c1d1e190c2a0623abfc1c46801e6836385f398eb06b0
                                                                                                                                                                                      • Instruction Fuzzy Hash: E6E0E5B3A04519268701EAEA9C81CFFB39CDE422607040A3BBD10F7241E9B5BD0042B9
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068E7A0, Relevance: 6.0, APIs: 4, Instructions: 18windowCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 75%
                                                                                                                                                                                      			E0068E7A0(CHAR* __ecx) {
				CHAR* _v8;

				_push(__ecx);
				_v8 = __ecx;
				ChangeDisplaySettingsA(0, 0);
				MessageBoxA(0, _v8,  *0x6934fc, 0x10);
				return TerminateProcess(GetCurrentProcess(), 0);
			}




                                                                                                                                                                                      0x0068e7a3
                                                                                                                                                                                      0x0068e7a4
                                                                                                                                                                                      0x0068e7ab
                                                                                                                                                                                      0x0068e7be
                                                                                                                                                                                      0x0068e7d4

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • ChangeDisplaySettingsA.USER32(00000000,00000000), ref: 0068E7AB
                                                                                                                                                                                      • MessageBoxA.USER32 ref: 0068E7BE
                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000000,?,0068E94B,?,?,?,?,?,?,?,00000000,0069052C,00693528,000000FF,?,00688B8D), ref: 0068E7C6
                                                                                                                                                                                      • TerminateProcess.KERNEL32(00000000,?,0068E94B,?,?,?,?,?,?,?,00000000,0069052C,00693528,000000FF,?,00688B8D), ref: 0068E7CD
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Process$ChangeCurrentDisplayMessageSettingsTerminate
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 428500978-0
                                                                                                                                                                                      • Opcode ID: 47ef1aee9bb43730a3d04e5537af9fbdf77bc14f2df3b225521764875a240f47
                                                                                                                                                                                      • Instruction ID: 0e2ff15b99a2abcf03c4a83072e9aaecf231c13e8884f75b5e29c6fe4496751f
                                                                                                                                                                                      • Opcode Fuzzy Hash: 47ef1aee9bb43730a3d04e5537af9fbdf77bc14f2df3b225521764875a240f47
                                                                                                                                                                                      • Instruction Fuzzy Hash: F0E01735A84318FBEB005FD0AD0FF897A7EAB08B02F005002F305956E0CAB19A00AB25
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0043C35C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179networkCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • WSAStartup.WS2_32(00000101,B70F0A0A), ref: 0043C3FD
                                                                                                                                                                                      • WSACleanup.WS2_32 ref: 0043C50D
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CleanupStartup
                                                                                                                                                                                      • String ID: Prepare attachments...
                                                                                                                                                                                      • API String ID: 915672949-951313767
                                                                                                                                                                                      • Opcode ID: 0e2c6ebd811b29d5f48aef008382e8303504c4f3cfdcd8b5330aab5eeaf4ef2b
                                                                                                                                                                                      • Instruction ID: 2bd39d02f14d9d463404da3409ade706292153b640d55638cf1153c73d5d0675
                                                                                                                                                                                      • Opcode Fuzzy Hash: 0e2c6ebd811b29d5f48aef008382e8303504c4f3cfdcd8b5330aab5eeaf4ef2b
                                                                                                                                                                                      • Instruction Fuzzy Hash: 6C613B71600118AFDB00EF69D881A9EB3F4EF89304F5191AAF915AB3A1CB38ED51CF55
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0043A90C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 171COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • select.WS2_32(00000000,B70F0646,00000000,00000000,B70F0B4A), ref: 0043A97F
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: select
                                                                                                                                                                                      • String ID: LOGIN $AUTH
                                                                                                                                                                                      • API String ID: 1274211008-1546186761
                                                                                                                                                                                      • Opcode ID: a32147f267e8543d6b9217ccab232fed38b9d4415535d6fea0ce02357a3bfc84
                                                                                                                                                                                      • Instruction ID: 06a8cb4fbbc617a0ec0ab69d1e7e85324d3b0c20fa45b4d5a5ec2628b3244ea2
                                                                                                                                                                                      • Opcode Fuzzy Hash: a32147f267e8543d6b9217ccab232fed38b9d4415535d6fea0ce02357a3bfc84
                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E61D671E401499FDB10EB98C841BEEB7F5AF89314F1542AAE540B73C1D738AE41CB5A
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004432F4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133windowCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • SetWindowLongA.USER32(00000000,000000EB), ref: 00443405
                                                                                                                                                                                      • SetFocus.USER32(00000000,?,?,?,?,?,?,?), ref: 0044343D
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FocusLongWindow
                                                                                                                                                                                      • String ID: Button
                                                                                                                                                                                      • API String ID: 1009637312-1034594571
                                                                                                                                                                                      • Opcode ID: 9ad93541b943a1b70ae94cc41dc0d90e9f16f1fc664b8a26f08325297139d02c
                                                                                                                                                                                      • Instruction ID: 64e0de0a37c5cb3d52a954156661b9220356a1a2ebeaa848b3f04e39c9dd414c
                                                                                                                                                                                      • Opcode Fuzzy Hash: 9ad93541b943a1b70ae94cc41dc0d90e9f16f1fc664b8a26f08325297139d02c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 87515E70A046449FEB01CF58C48AB8EBBE4AF15759F5581A6F800DB3A1C778EE90CB95
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0042B860, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0042B8E0
                                                                                                                                                                                      • VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 0042B964
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FileModuleNameQueryVirtual
                                                                                                                                                                                      • String ID: !C
                                                                                                                                                                                      • API String ID: 2827130835-2273022293
                                                                                                                                                                                      • Opcode ID: fdd6b981d6011093a4f461e2da5ceaa0b3068512a2ff2ae0db43e9e4ce2c7fbe
                                                                                                                                                                                      • Instruction ID: 75b32fe06ecb1dacb13bc3d14130df2f4d1d3ece9f310cdfe7b1a3eb8df6ad23
                                                                                                                                                                                      • Opcode Fuzzy Hash: fdd6b981d6011093a4f461e2da5ceaa0b3068512a2ff2ae0db43e9e4ce2c7fbe
                                                                                                                                                                                      • Instruction Fuzzy Hash: FE318DB1A001199FDB10DF65D881AEEB3F9EB89304F558076EA04A7351E738AE41CB95
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004251AC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • OffsetRect.USER32(?), ref: 004251E2
                                                                                                                                                                                      • EnableWindow.USER32(?,00000000), ref: 0042524F
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: EnableOffsetRectWindow
                                                                                                                                                                                      • String ID: MZP
                                                                                                                                                                                      • API String ID: 764227307-2889622443
                                                                                                                                                                                      • Opcode ID: 53cab7d8d2e9a20e3cd087ee3f9230bac5fbed9fb1170ac651fa96390b789079
                                                                                                                                                                                      • Instruction ID: bd40e926921a7d22917b672452e7d84544ff11ed307ea76fcc1ba7da56dacfb2
                                                                                                                                                                                      • Opcode Fuzzy Hash: 53cab7d8d2e9a20e3cd087ee3f9230bac5fbed9fb1170ac651fa96390b789079
                                                                                                                                                                                      • Instruction Fuzzy Hash: DE216D71204244AFDB14DF69D882F577BECEF89714F51846AF908DB292C678ED10CBA4
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 004248D4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • CreateFontA.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0042492D
                                                                                                                                                                                      • CreateFontA.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,MS Sans Serif), ref: 00424957
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CreateFont
                                                                                                                                                                                      • String ID: MS Sans Serif
                                                                                                                                                                                      • API String ID: 1830492434-168460110
                                                                                                                                                                                      • Opcode ID: f89f0895e41812514041ddcca525e1f7c5f35d48006dafca22d1f8f7d45cf52c
                                                                                                                                                                                      • Instruction ID: b283902c23064c77dacff4d557f271f56f8165b239726fa61cbeb7dfca121dc0
                                                                                                                                                                                      • Opcode Fuzzy Hash: f89f0895e41812514041ddcca525e1f7c5f35d48006dafca22d1f8f7d45cf52c
                                                                                                                                                                                      • Instruction Fuzzy Hash: 72114CB07C47187AF631A625AC53F6B669CC786F58FB20466BB00BF2C1D6E97D00526C
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0043A874, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42timeCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetSystemTime.KERNEL32(B70F0B2A,00000000,0043A8EA,B70F0B42,00000000), ref: 0043A894
                                                                                                                                                                                      • SystemTimeToFileTime.KERNEL32(B70F0B2A,B70F0B3A,B70F0B2A,00000000,0043A8EA,B70F0B42,00000000), ref: 0043A8A1
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Time$System$File
                                                                                                                                                                                      • String ID: @madExcept>
                                                                                                                                                                                      • API String ID: 2838179519-2072251058
                                                                                                                                                                                      • Opcode ID: 54e788ebe961d1a14942800d32ec4af3b20eeb0b29f5530c95810601b65f6d0d
                                                                                                                                                                                      • Instruction ID: c574a8e7f197a642d6d52c84c3cf6af38a8b6244ca983341b788b5946a4d1509
                                                                                                                                                                                      • Opcode Fuzzy Hash: 54e788ebe961d1a14942800d32ec4af3b20eeb0b29f5530c95810601b65f6d0d
                                                                                                                                                                                      • Instruction Fuzzy Hash: AD01A771A04209AFDB05EBA5CC52DDEF7BDEB88304F514436F500E3291DA3C95168665
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 0068E978, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 65%
                                                                                                                                                                                      			E0068E978(void* __ecx) {
				CHAR* _v8;
				char _v12;
				signed int _t18;

				_push(__ecx);
				_push(__ecx);
				_v12 = E0068E6F9(__ecx, 0x105);
				_t2 =  &_v12; // 0x68ea32
				_v8 =  *_t2;
				_t18 = 0x41;
				memset(_v8, 0, _t18 << 2);
				asm("stosb");
				if(GetModuleFileNameA(GetModuleHandleA(0), _v8, 0x104) == 0) {
					E0068E6E1(_t13, 0xef000012);
				}
				return _v8;
			}






                                                                                                                                                                                      0x0068e97b
                                                                                                                                                                                      0x0068e97c
                                                                                                                                                                                      0x0068e989
                                                                                                                                                                                      0x0068e98c
                                                                                                                                                                                      0x0068e98f
                                                                                                                                                                                      0x0068e994
                                                                                                                                                                                      0x0068e99a
                                                                                                                                                                                      0x0068e99c
                                                                                                                                                                                      0x0068e9b6
                                                                                                                                                                                      0x0068e9bd
                                                                                                                                                                                      0x0068e9bd
                                                                                                                                                                                      0x0068e9c7

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,0068EA32,?,?,?,0068D02B,00000000), ref: 0068E9A7
                                                                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,0068EA32,?,?,?,0068D02B,00000000), ref: 0068E9AE
                                                                                                                                                                                        • Part of subcall function 0068E6E1: RaiseException.KERNEL32(00000000,00000000,00000000,00000000,EF00000D,?,0068E777,024B0488,?,0068E703,024B0488,024B0488,?,00688580,00000068), ref: 0068E6F1
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: Module$ExceptionFileHandleNameRaise
                                                                                                                                                                                      • String ID: 2h
                                                                                                                                                                                      • API String ID: 1728487212-1340067111
                                                                                                                                                                                      • Opcode ID: 3ceee1dd2f621950e323722cb6026c21b5abbe8241eba17536c2fab1ff990bc8
                                                                                                                                                                                      • Instruction ID: 39cc27cd696208977c5bbf476feb69712a3c2600a7ec5273ce1ead1d372b6155
                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ceee1dd2f621950e323722cb6026c21b5abbe8241eba17536c2fab1ff990bc8
                                                                                                                                                                                      • Instruction Fuzzy Hash: 6EF03771B00204BFDF44EFE9DC46A9D77BADB44710F100159F605D6281E6F15E909714
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00438C80, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,00000000,InternetGetConnectedState,wininet.dll,?,-00000001,00000000,0043DAA3), ref: 00438CB6
                                                                                                                                                                                      Strings
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                      • String ID: InternetGetConnectedState$wininet.dll
                                                                                                                                                                                      • API String ID: 3664257935-596207600
                                                                                                                                                                                      • Opcode ID: e59751470d5d26d60e7e173a1f44e6a9e7c316e99b22d6b4d1203cf659e29a1f
                                                                                                                                                                                      • Instruction ID: 4ca9f8c7ee16214017bfaab395b57ec9ed8696ad72bb100aea6334ebd5df06b4
                                                                                                                                                                                      • Opcode Fuzzy Hash: e59751470d5d26d60e7e173a1f44e6a9e7c316e99b22d6b4d1203cf659e29a1f
                                                                                                                                                                                      • Instruction Fuzzy Hash: 45E08611B0AB123AA21162F60D81FBF818C8B49354F10743FB900E6281EEACEC0573BE
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00401B5C, Relevance: 5.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      APIs
                                                                                                                                                                                      • InitializeCriticalSection.KERNEL32(006065C8,00000000,00401C12,?,?,004023F6,02647FFC,00001150,00000000,?,?,00401DE5,00401DFA,00401F4B), ref: 00401B72
                                                                                                                                                                                      • EnterCriticalSection.KERNEL32(006065C8,006065C8,00000000,00401C12,?,?,004023F6,02647FFC,00001150,00000000,?,?,00401DE5,00401DFA,00401F4B), ref: 00401B85
                                                                                                                                                                                      • LocalAlloc.KERNEL32(00000000,00000FF8,006065C8,00000000,00401C12,?,?,004023F6,02647FFC,00001150,00000000,?,?,00401DE5,00401DFA,00401F4B), ref: 00401BAF
                                                                                                                                                                                      • LeaveCriticalSection.KERNEL32(006065C8,00401C19,00000000,00401C12,?,?,004023F6,02647FFC,00001150,00000000,?,?,00401DE5,00401DFA,00401F4B), ref: 00401C0C
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 730355536-0
                                                                                                                                                                                      • Opcode ID: 005e12c1676a6c06027b5989c53f5e188c4d05d89083241b3521b0cdc3bc4812
                                                                                                                                                                                      • Instruction ID: f8c97ea0b5d985f243c5f93e84b6751703d72cd10dd25517e3de6ea68c011d8c
                                                                                                                                                                                      • Opcode Fuzzy Hash: 005e12c1676a6c06027b5989c53f5e188c4d05d89083241b3521b0cdc3bc4812
                                                                                                                                                                                      • Instruction Fuzzy Hash: 2601D6701C46405EE31AAF29DC067173ED6E78A708F40443EF001AB2F1DABD8860C75A
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                      Function 00688240, Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                      C-Code - Quality: 86%
                                                                                                                                                                                      			E00688240(struct _CRITICAL_SECTION* __ecx) {
				struct _CRITICAL_SECTION* _v8;

				_push(__ecx);
				_v8 = __ecx;
				 *((intOrPtr*)(_v8 + 0x60)) = 0;
				 *((intOrPtr*)(_v8 + 0x64)) = 0;
				InitializeCriticalSection(_v8);
				InitializeCriticalSection(_v8 + 0x18);
				InitializeCriticalSection(_v8 + 0x30);
				InitializeCriticalSection(_v8 + 0x48);
				return _v8;
			}




                                                                                                                                                                                      0x00688243
                                                                                                                                                                                      0x00688244
                                                                                                                                                                                      0x0068824a
                                                                                                                                                                                      0x00688254
                                                                                                                                                                                      0x0068825f
                                                                                                                                                                                      0x0068826c
                                                                                                                                                                                      0x00688279
                                                                                                                                                                                      0x00688286
                                                                                                                                                                                      0x00688292

                                                                                                                                                                                      APIs
                                                                                                                                                                                      • InitializeCriticalSection.KERNEL32(00000000,00000000), ref: 0068825F
                                                                                                                                                                                      • InitializeCriticalSection.KERNEL32(-00000018), ref: 0068826C
                                                                                                                                                                                      • InitializeCriticalSection.KERNEL32(-00000030), ref: 00688279
                                                                                                                                                                                      • InitializeCriticalSection.KERNEL32(-00000048), ref: 00688286
                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                      • Source File: 00000000.00000002.932242058.0000000000688000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                      • Associated: 00000000.00000002.931974315.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.931984957.0000000000401000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932199946.0000000000637000.00000008.00020000.sdmp Download File
                                                                                                                                                                                      • Associated: 00000000.00000002.932256445.0000000000693000.00000004.00020000.sdmp Download File
                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_njw.jbxd
                                                                                                                                                                                      Yara matches
                                                                                                                                                                                      Similarity
                                                                                                                                                                                      • API ID: CriticalInitializeSection
                                                                                                                                                                                      • String ID:
                                                                                                                                                                                      • API String ID: 32694325-0
                                                                                                                                                                                      • Opcode ID: 274f5669fe50b6e2d1d9705d061411af5feb26e9d31ec1585b91964e9da08499
                                                                                                                                                                                      • Instruction ID: 1dc7b8de878bb0b43b31c6e804c54fbe5212c4b89aa1f7313e32c244b3e0c902
                                                                                                                                                                                      • Opcode Fuzzy Hash: 274f5669fe50b6e2d1d9705d061411af5feb26e9d31ec1585b91964e9da08499
                                                                                                                                                                                      • Instruction Fuzzy Hash: 10F074B890031CEBCB04DF98DA58B5EB7B9BB48305F204189E805A3751C735AF11EF94
                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                      Uniqueness Score: -1.00%